Skip to main content
AskDegree
← Back to home

Security program

Responsible Disclosure

Security researchers and customers help us protect growth-stage teams. Report vulnerabilities responsibly — we investigate quickly, remediate with care, and coordinate public disclosure.

Report a vulnerabilityGeneral contact
Ack within 2 business days
Coordinated disclosure
Good-faith safe harbor

How it works

From report to resolution

Step 01

Report

Email reproduction steps, impact, and affected endpoints.

Step 02

Triage

We validate severity, scope, and duplicate status.

Step 03

Remediate

Engineering fixes ship with coordinated communication.

Step 04

Close loop

Status updates until resolved; credit offered when appropriate.

In scope

What we want reported

AskDegree web properties

ask.degree production and keyteller.com staging hosts we operate.

Assessment platform

Growth Readiness Assessment apps and APIs — classic and Option 2 flows.

Auth & data handling

Authentication, authorization, session, and assessment data exposure flaws.

Infrastructure misconfig

Misconfigurations that could expose customer or participant information.

Out of scope

What we cannot authorize

  • Denial-of-service or load tests that degrade availability
  • Social engineering, phishing, or physical attacks against staff
  • Accessing, modifying, or exfiltrating data you do not own
  • Third-party services not operated by AskDegree
  • Duplicate reports without new impact or reproduction detail

Submit a report

How to send a useful report

The more reproducible your submission, the faster we can validate and fix. Send everything to our dedicated security inbox.

Security inbox

security@ask.degree

Open in email client

Include in your message

  1. 1Clear reproduction steps and safe proof-of-concept
  2. 2Affected URL, hostname, or API route
  3. 3Impact on confidentiality, integrity, or availability
  4. 4Optional PGP key or preferred follow-up contact

Response expectations

What happens after you report

Within 2 business days

Acknowledgement

We confirm receipt and assign triage.

During investigation

Status updates

We share severity assessment and remediation progress.

Before public disclosure

Coordination

We align on timing so customers stay protected.

After fix

Recognition

Credit in advisories when you request it and policy allows.

Safe harbor

We appreciate good-faith research that helps us improve. Follow these guardrails so we can focus on fixing issues — not investigating harm.

  • Avoid privacy violations and service disruption
  • Do not disclose publicly before coordinated remediation
  • Comply with applicable laws — we cannot authorize illegal activity

AskDegree does not run a paid bug bounty today. We prioritize fixes that protect customers and assessment participants.

Found something? Tell us now.

Send reproduction details to our security team. For non-security inquiries, use the contact page.

Email security@ask.degreeContact page

See also Privacy Policy