# UpskillZone Vulnerability Disclosure Policy **Version:** 1.0 **Effective:** 2026-05-03 **Canonical URL:** https://upskillzone.com/legal/security **Contact:** security@upskillzone.com UpskillZone operates a credentialing platform whose value depends on the integrity of its issuer signing chain, the verifiability of issued credentials, and the impartiality of its talent ranking. We treat external security research as a critical control and welcome reports from independent researchers under the terms below. --- ## §1 Reporting a Vulnerability Send vulnerability reports to **security@upskillzone.com**. Reports SHOULD be encrypted to the PGP key whose fingerprint is: ``` PGP Fingerprint: AAAA BBBB CCCC DDDD EEEE FFFF 0000 1111 2222 3333 ``` (The current key and an `age` recipient are published at `https://upskillzone.com/.well-known/security.txt` and §9 below.) A complete report includes: a description of the issue, affected component or endpoint, reproduction steps or proof-of-concept, the impact you believe an attacker could achieve, and any logs, request IDs, or timestamps generated during testing. We acknowledge receipt within two business days and provide a triage decision within five business days. Researchers acting in good faith under this policy will not be pursued under the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act §1201, or analogous foreign statutes. We will not initiate civil action and will, where authorized, intervene if a third party does. ## §2 Scope (IN) The following surfaces are in scope for this policy and the bounty in §4: - **Platform code.** The first-party web application served from `upskillzone.com` and `app.upskillzone.com`, the API surface at `api.upskillzone.com`, the mobile clients distributed under the `com.upskillzone` package identifier, and all source repositories published under `github.com/upskillzone`. - **Issuer signing chain.** Any control that affects the confidentiality of the issuer signing key, the integrity of the credential signing pipeline, the binding between learner identity and issued credential, or the trust anchors distributed with the verifier. Key-compromise, signature-forgery, and trust-store-poisoning findings are explicitly in scope. - **`talent_search` ranking integrity.** Any input, parameter, or side-channel that allows a candidate, employer, or third party to bias the `talent_search` ranker beyond the documented signals — including but not limited to credential replay, score injection through profile fields, ordering attacks via concurrent writes, and coercion of the fairness audit pipeline. - **Credential verifier.** The hosted verifier at `verify.upskillzone.com`, the embeddable verifier widget, and the open-source verifier reference implementation. Findings that allow a forged or revoked credential to verify as valid are critical. ## §3 Scope (OUT) The following are out of scope. Reports against these surfaces will be closed as informational and are not eligible for bounty: - **Third-party dependencies we consume.** Vulnerabilities in Stripe, AWS, Cloudflare, Auth0, GitHub, or any other vendor on whose infrastructure we rely. Report those issues to the upstream vendor; we are happy to coordinate. - **Out-of-band attacks.** Phishing, vishing, or smishing of UpskillZone staff, contractors, or founders; physical access to UpskillZone premises; social engineering of support agents; supply-chain attacks staged outside our build infrastructure. - **Best-practice hardening absent demonstrated impact.** Missing security headers, TLS configuration warnings from automated scanners, rate-limit findings without a working amplification, and reports generated solely from automated tooling output. - **Self-XSS, self-CSRF, and clickjacking absent a sensitive sink.** - **Denial-of-service findings.** See §7. ## §4 Bug Bounty Awards are paid in USD via the channel of the researcher's choice. Initial range is **$100 to $5,000** per validated, in-scope finding. Severity is determined by UpskillZone using CVSS v4.0 as a starting point, adjusted for exploitability and the trust impact specific to a credentialing platform. High-severity findings affecting the **issuer signing key** — including extraction, replacement, downgrade, or unauthorized signing oracle — may be awarded **above the stated range** on a case-by-case basis. We reserve the right to set the final amount; researchers may appeal a triage decision once. Duplicates are awarded to the first complete report. Chained findings are awarded as a single issue at the chained severity. ## §5 Coordinated Disclosure We operate a **90-day** coordinated disclosure window from the date we acknowledge a valid report. Within that window we will: confirm the issue, agree a remediation timeline with the reporter, ship the fix, and prepare a coordinated post-mortem. If remediation requires longer than 90 days we will negotiate an extension in writing. On the disclosure date we publish a coordinated post on the UpskillZone engineering blog crediting the reporter (with permission), describing the vulnerability, detailing the fix, and noting any user-visible impact. CVE assignment is requested where applicable. ## §6 Hall of Fame Reporters of valid findings are listed publicly on `https://upskillzone.com/security/hall-of-fame` **only with explicit written permission**. The default is no listing. Listings include the reporter's chosen handle and, optionally, a link of their choice; we do not list employer affiliations without separate confirmation. ## §7 Things You Should NOT Do The following activities are prohibited and place a researcher outside the safe-harbor of this policy: - **No destructive testing.** Do not modify, delete, or exfiltrate data belonging to other users. Use only accounts you control or accounts we have provisioned for testing. - **No denial-of-service.** Do not run load, stress, volumetric, or resource-exhaustion tests against any UpskillZone surface, including the verifier and the `talent_search` endpoint. - **No testing against real learner accounts.** Do not register, log into, or interact with accounts you do not own. Do not attempt to access PII, completed assessments, or issued credentials belonging to third parties. - **Report incidental access immediately.** If you incidentally access PII, credential material, or signing-key-adjacent data while investigating an issue, stop testing, preserve a minimal record needed to demonstrate impact, and contact security@upskillzone.com within 24 hours. Do not retain, share, or publish the data. - No automated scanning that generates more than 5 requests per second against any single endpoint without prior written authorization. - No use of findings against UpskillZone production data, customers, or partners outside the scope of demonstrating the vulnerability to us. ## §8 Recognition In addition to the cash bounty in §4, validated reporters are eligible for: branded swag (shirts, stickers, hardware tokens), an invitation to the annual UpskillZone security review call, and listing in the Hall of Fame (§6) at the reporter's option. Gifts and swag are supplemental and do not substitute for the bounty payable under §4. ## §9 Encrypted Reporting Encrypt sensitive reports with one of the following recipients: - **PGP** — fingerprint `AAAA BBBB CCCC DDDD EEEE FFFF 0000 1111 2222 3333`, downloadable from `https://upskillzone.com/.well-known/pgp-key.asc`. - **age** — recipient `age1upskillzonesecurityplaceholder0000000000000000000000000000`, published alongside the PGP key. If you cannot encrypt, send a plain-text message asking us to provide a secure channel and we will respond with a one-time upload link. Do not send proof-of-concept exploits, signing-key material, or learner PII over unencrypted email. --- *This policy is published under the Apache License, Version 2.0. Forks are welcome; please update §1, §2, and §9 to reflect your own contact information and trust anchors before deployment.*