Skip to main content

Vulnerability Disclosure Policy

ClassLens welcomes good-faith security research. This policy describes how to report a vulnerability and what to expect in return.

Last updated: 2026-04-27

A. What’s in scope

Safe harbor under this policy is limited to good-faith research on the production ClassLens application at classlens.com and its public APIs as scoped below. Other Evolved Academics properties (including the evolvedacademics.com marketing site, third-party-hosted content, and integrations not under our direct operational control) are out of scope. Researchers who believe they have identified an issue affecting an out-of-scope property should report it to security@evolvedacademics.com without further testing.

The following ClassLens assets are in scope:

  • The ClassLens web application at https://www.classlens.com and any subdomain hosting application UI.
  • In-scope public APIs are limited to endpoints documented in our public API reference. The following endpoints are explicitly out of scope and should not be tested:
    • /api/webhooks/* — third-party webhook receivers (Stripe, Google, etc.) that perform integrity-verified processing on inbound events from external systems. Testing here can interfere with billing reconciliation or trigger anti-abuse signals at the upstream provider.
    • /auth/*/callback and OAuth state-handling endpoints — testing these can interfere with active user authentication flows.
    • Any endpoint that writes to billing, payment, or account-state systems.
  • Public web assets at classlens.com, including the /.well-known/ paths.

Researchers who believe they have identified a vulnerability in an out-of-scope endpoint should report it via security@evolvedacademics.com without further testing. Such reports are welcome and we will respond in good faith, but the safe-harbor protections in this policy apply only to research conducted within scope.

The following categories are also out of scope:

  • Third-party services we use as subprocessors (AWS, Cloudflare, Google, Stripe, GitHub) — please report directly to those providers.
  • Social engineering of Evolved Academics employees or contractors.
  • Physical security testing of any office or residence.
  • Volumetric attacks (DoS, DDoS, brute-force at the network layer).
  • Spam or content abuse not tied to a security control failure.

B. What you may do

Within the scope above, you are authorized to perform the following types of testing in good faith:

  • Identify, test, and verify vulnerabilities using non-destructive techniques.
  • Use a personal test account to investigate authentication, authorization, and session-handling issues. Please create accounts using a +vdp Gmail alias (e.g., you+vdp@gmail.com) and a clearly testing-only display name.
  • Submit findings privately to the channel below before any public disclosure.

You may not:

  • Access, modify, or destroy data belonging to other users.
  • Disrupt service for other users (rate-limited testing only).
  • Disclose vulnerabilities publicly before we have had a reasonable chance to remediate (default 90 days; see Section E).

C. Our commitment to you (Safe harbor)

We will not pursue legal action against security researchers for activities conducted in good faith and consistent with this policy. Specifically, we will not pursue claims under any of the following, including but not limited to:

  • the federal Computer Fraud and Abuse Act (18 U.S.C. § 1030);
  • the anti-circumvention provisions of the Digital Millennium Copyright Act (17 U.S.C. § 1201);
  • the federal Stored Communications Act (18 U.S.C. § 2701 et seq.);
  • California Penal Code § 502(c) and equivalent computer-misuse statutes in other U.S. states;
  • the federal Wiretap Act (18 U.S.C. § 2511) and equivalent state wiretap statutes, to the extent applicable.

The list above is illustrative and not exhaustive.

We will also not ask law enforcement to investigate you, and we will work with you to understand and resolve the issue quickly.

This safe harbor applies to the work you do under this policy. It does not authorize testing outside the in-scope assets above, and it does not waive any third party’s rights.

D. How to submit a report

Send a report to security@evolvedacademics.com.

Please include:

  • A description of the vulnerability and where you found it.
  • Steps to reproduce, including any sample requests, payloads, or screenshots.
  • The impact you believe the issue could have.
  • Any suggested mitigations, if you have them.
  • Whether you would like to be acknowledged publicly (see Section F).

E. What happens after you submit

  • We acknowledge receipt within 2 business days.
  • We confirm the vulnerability and assign a severity within 5 business days of triage.
  • We remediate per the following targets:
  • Critical: within 72 hours
  • High: within 2 weeks
  • Medium: within 30 days
  • Low: at our next quarterly review

We coordinate any public disclosure with you. Our default is a 90-day window from initial report to public disclosure, which we may extend by mutual agreement if remediation requires more time.

F. Researchers we have worked with

We are grateful to the security researchers who have helped make ClassLens safer. The following individuals have submitted valid reports and consented to be acknowledged here:

We have not yet received a valid report to acknowledge. Be the first.

This policy was published 2026-04-27 and is reviewed at least annually. The current version is at https://www.classlens.com/security/disclosure. Material changes will be announced on https://www.classlens.com/security.