Open edX Security Policy#

Disclosing a Security Vulnerability#

If you believe that you have discovered a security vulnerability or other suspicious activity relating to the Open edX platform code base, please:

  • report it to the Open edX project by emailing the Open edX Security Working Group at;

  • describe the nature of the vulnerability; and

  • provide sufficient detail in your report to enable the Open edX Security Working Group to respond quickly reproduce and understand the vulnerability and respond effectively, including the following (as applicable):
    • a textual description of the steps necessary to reproduce the issue;

    • proof-of-concept code; and

    • links to vulnerable code.

Upon receipt of your email, the Open edX Security Working Group will acknowledge the receipt of your email, review and triage your security vulnerability, and act accordingly. If necessary, the group will reach out to you for more information. The group will not provide communication on the status of the security vulnerability after it has been reviewed and triaged.

Bug Bounty#

The Open edX project does not offer bug bounties for security vulnerability disclosures.

Out of Scope#

There are many sites powered by the Open edX platform. If you have found a vulnerability that is specific to an Open edX deployment please contact the operators of that site directly.