Responsible Disclosure Program

At Blake eLearning the security of our customers' data is of highest importance. If you have discovered what appears to be a vulnerability in any of our sites or products, then we appreciate your help in disclosing this to us in a coordinated and responsible manner.

Guidelines

The expectations of both parties relating to reported vulnerabilities are outlined below.

Security Researchers must:

• send full details of the perceived vulnerability to security@readingeggs.com encrypted using our PGP KEY including:
   
  • an explanation of the vulnerability
  • a list of sites and applications that may be affected (where possible)
  • steps to reproduce the vulnerability
  • proof‑of‑concept code (where applicable)
  • the names of any test accounts you have created (where applicable)
  • your contact information.
     
• Allow us time to review the reported vulnerability.
• Not publicly disclose these details without our express written consent.
• Maintain full confidentiality of all communications with Blake eLearning.
• Fully comply with the Responsible Disclosure Program.

The Blake eLearning Security Team will:

• review all disclosures and respond to the reporter within 72 hours
• if necessary, take steps to remediate vulnerabilities as soon as possible
• publicly recognise the reporter with their consent, if a new, unique and genuine vulnerability has been identified.

To encourage responsible disclosure, we will not take legal action against security researchers in relation to the discovery and reporting of a potential security vulnerability. This is provided that all such potential security vulnerabilities are discovered and reported strictly in accordance with this Responsible Disclosure Program. In the event of any non‑compliance, we reserve all of our legal rights.

If in doubt, please contact the Blake Security Team by sending an email to security@readingeggs.com.

Out‑of‑Scope Vulnerabilities

We encourage responsible security research on our sites and applications on those to which you have authorised access.

The following types of research are not allowed:

• accessing or attempting to access accounts or data that do not belong to you
• any attempt to modify or destroy any data
• testing in a manner that would degrade the operation of our services
• sending or attempting to send unsolicited or unauthorised email, spam or any other form of unsolicited messages
• conducting social engineering (including phishing) of Blake eLearning’s employees, contractors or customers or any other party
• any physical attempts against our property, including (but not limited to) offices and warehouses
• use of malware, viruses or similar harmful software that could impact our services, products or customers or any other party
• testing third‑party websites, applications or services that integrate with our services or products
• the use of automated vulnerability scanners
• exfiltrating any data under any circumstances
• activity that violates any law.

The following finding types are excluded from this Responsible Disclosure Program:

• vulnerabilities identified with automated tools (including web scanners) that do not include proof‑of‑concept code or a demonstrated exploit
• third‑party applications, websites, or services that integrate with or link to Blake eLearning's site or services
• discovery of any in‑use service (vulnerable third‑party code, for example) whose running version includes known vulnerabilities without demonstrating an existing security impact.

Recognition

Blake eLearning does not offer a bounty program or provide compensation in exchange for security vulnerability submissions.