Introduction
At Kief Skole, we prioritize the security of our platform to create a safe environment for schools, vendors, and parents. If you have discovered a security vulnerability on our website or within our service, we encourage you to report it responsibly. When vulnerabilities are reported in compliance with this policy, Kief Skole will promptly validate and resolve them, demonstrating our commitment to data privacy and platform security.
We will not take legal action or restrict your access if you responsibly report a vulnerability in line with this policy. Kief Skole, however, reserves its legal rights in cases of non-compliance with this policy.
If you suspect unauthorized access to your account or any unusual activity, please reach out immediately at [email protected].
Reporting a Security Vulnerability
To report a security vulnerability, please contact us at [email protected] and include the following information for efficient validation and resolution:
- Detailed Description: Include the vulnerability type, the URL or API endpoint where it occurs, and a clear description.
- Steps to Reproduce: Provide a step-by-step guide to recreate the vulnerability, including any test accounts used.
- Proof-of-Concept (PoC): Scripts or tools to demonstrate the issue and any associated attack scenarios, if applicable.
Please refrain from sharing or discussing your findings externally, including on blogs or social media, and use a test account identifiable by Kief Skole.
In-Scope Findings
Kief Skole encourages reports on the following vulnerability types across its domain and subdomains:
- Authenticated web application vulnerabilities.
- Administrative panels or open ports accessible to the public.
- Attacks such as Cross-Site Scripting (XSS), SQL injection, and XML External Entity (XXE) injection.
- Remote code execution and permission bypass.
- Cross-Site Request Forgery (CSRF) and Server-Side Request Forgery (SSRF).
- Privilege escalation and unauthorized access.
Out-of-Scope Restrictions
While we appreciate research from ethical security professionals, Kief Skole prohibits the following actions:
- Accessing, altering, or deleting any customer account data.
- Executing Denial of Service (DoS) attacks or degrading platform performance.
- Uploading or transmitting malicious software.
- Sending unauthorized emails or messages, including spoofing, spam, or phishing.
- Testing vulnerabilities on third-party pages, such as payment processors.
Exploitation of vulnerabilities beyond these restrictions requires explicit permission from Kief Skole’s security team.
Non-qualifying Submissions
Vulnerabilities are evaluated based on risk and exploitability. The following do not qualify under this policy:
- Informational error messages, known public files (e.g., robots.txt), or basic HTTP method settings (e.g., OPTIONS/TRACE).
- Self-XSS, clickjacking on non-sensitive pages, and SSL weaknesses.
- Username enumeration, missing HTTP security headers, or findings from static analysis tools.
- Issues in third-party applications or publicly known vulnerabilities.
These findings may qualify if they demonstrate a realistic, exploitable attack chain.
Our Commitment
When you report a vulnerability in line with this policy, Kief Skole commits to:
- Promptly acknowledging receipt of your report.
- Confirming the validity of your report.
- Issuing a certificate of appreciation for first reports on newly identified, valid vulnerabilities.
Kief Skole does not operate a bug bounty program and offers no monetary reward for valid disclosures. We appreciate your commitment to platform security and thank you for helping to protect our community.