Skip to content

Responsible Disclosure Policy

Breakout Learning Inc.


Purpose

To allow for the reporting and disclosure of vulnerabilities discovered by external entities, and the anonymous reporting of information security policy violations by internal entities.


Scope

Breakout Learning Inc’s Responsible Disclosure Policy applies to Breakout Learning Inc’s core platform and its information security infrastructure, and to internal and external employees or third parties.


Background

Breakout Learning Inc is committed to ensuring the safety and security of our customers and employees. We aim to foster an environment of trust and an open partnership with the security community, recognizing the importance of vulnerability disclosures and whistleblowers. This policy reflects our corporate values and legal responsibilities, promoting collaboration with security researchers acting in good faith.


Roles and Responsibilities

Development Team:

  • Vulnerability Remediation: Responsible for addressing identified vulnerabilities in a timely manner.
  • Testing and Validation: Responsible for testing and validating the remediation efforts before deploying fixes to production.
  • Timely Resolution: Prioritizes vulnerability remediation based on severity and ensures prompt deployment of fixes.

Legal Posture

Breakout Learning Inc will not engage in legal action against individuals who submit vulnerability reports through our Vulnerability Reporting inbox. We welcome reports and agree not to pursue legal action against individuals who:

  • Engage in testing of systems/research without harming Breakout Learning Inc or its customers.
  • Conduct vulnerability testing within the scope of our disclosure program.
  • Refrain from disclosing vulnerability details before an agreed-upon timeframe expires.

Policy

Vulnerability Report/Disclosure

How to Submit a Vulnerability
To submit a vulnerability report to Breakout Learning Inc’s Product Security Team, please email support@breakoutlearning.com.

Preference, Prioritization, and Acceptance Criteria

  • Well-written reports in English will receive higher priority.
  • Proof-of-concept code is encouraged to help with triage.
  • Reports including only crash dumps or automated tool output may receive lower priority.
  • Submissions regarding products not on the scope list may also receive lower priority.
  • Please include details on how the bug was found, its impact, and potential remediation.

What to Expect from Breakout Learning Inc

  • A response within 2 business days.
  • An expected remediation timeline after triage.
  • Open communication throughout the process.
  • Credit for validated and fixed vulnerabilities.

Revision History

Version

Date

Editor

Approver

Description of Changes

1.1

2024/10/01

Nikita Rogatnev

Joshua Oster-Morris

Standardized role titles across all relevant policies, replacing previous variations

1.0

2024/01/01

Joshua Oster-Morris

Jake Shepherd

Initial version