Security
Responsible Disclosure – report vulnerabilities safely and respectfully.
Responsible Disclosure
We take the security of our systems seriously. If you believe you have found a vulnerability or security issue that may affect classid.io or our services, we appreciate responsible disclosure so we can investigate and fix it.
Email: [email protected]
Subject: Security vulnerability report
Tip: include screenshots, affected URLs, reproduction steps, and a clear impact description.
What we ask
- Report the issue as soon as possible and provide enough detail for us to reproduce it.
- Do not exploit the issue beyond what is necessary to demonstrate it (no data access, copying, modification, or deletion).
- Do not perform tests that impact availability (DDoS, stress tests, or large-scale automated scanning).
- Respect privacy and confidentiality: access only what is strictly necessary to demonstrate the issue.
- Do not publicly disclose the vulnerability before we have had the opportunity to deploy a fix.
What you can expect from us
- We will acknowledge receipt of your report within a reasonable timeframe.
- We will investigate the report and work toward a fix.
- We may request additional information to reproduce or validate the issue.
- Where appropriate, we will keep you informed about progress.
If you follow this policy and act in good faith, we will not pursue legal action against you for your security research.
Rewards (discretionary – no formal bug bounty program)
We do not operate a formal bug bounty program, so there is no guaranteed reward. However, we may offer a discretionary reward for eligible reports.
Please note that we are a startup with limited budgets. Our mission is to help schools, and we therefore operate with very tight financial resources. As a result, any reward amounts are modest and always dependent on our available budget at the time of reporting.
How we evaluate eligibility
- Novelty: the issue must be new and previously unknown to us.
- Severity & impact: what is the real-world impact?
- Reproducibility: can we reliably reproduce it?
- Report quality: clear steps, proof-of-concept, and impact explanation.
- Responsible conduct: no misuse, respect for privacy/confidentiality.
Only new issues may be considered for a reward. Issues that are already known, previously reported, duplicates, purely theoretical, or not reproducible are generally not eligible.
Indicative severity & possible reward (guidelines)
The examples and amounts below are guidelines only. All decisions remain case-by-case and fully discretionary.
| Severity | Examples | Indicative reward |
|---|---|---|
| Low | Outdated libraries without demonstrable exploitability, informational findings with no direct impact, misconfigurations without demonstrable risk. | €0 – €50 |
| Medium | XSS (reflected/stored) with clear impact, weak session/cookie settings with demonstrable risk, authorization issues with limited scope. | €50 – €250 |
| High | SQL injection, authentication/authorization bypass, privilege escalation, remote code execution, exposure of sensitive user data. | €250+ |
Scope
In scope:
- Publicly accessible websites and systems operated by us under classid.io.
Out of scope (examples):
- Third-party services not controlled by us (unless they directly impact our systems).
- DDoS, stress testing, or large-scale automated scanning.
- Social engineering / phishing.
- Physical attacks.