Skip to main content
EngagedLab

Vulnerability Disclosure Policy

Last updated: 2025-07-11

Introduction

EdTechLab LTD (“Engaged Lab”) takes the security of our platform seriously. We value the work of security researchers who help us keep our users and their data safe. This policy describes how to report security vulnerabilities to us responsibly and what you can expect in return.

EdTechLab.co.uk is the official website of EdTechLab LTD, the company behind EngagedLab.

Scope

This policy covers vulnerabilities in:

  • www.engagedlab.co.uk — main web application
  • API endpoints — all /api/* routes
  • LTI 1.3 integration — launch, JWKS, and grade passback endpoints
  • SCORM export packages — generated learning content
  • Authentication & SSO — SAML 2.0, OIDC, MFA flows

Out of scope: Third-party services (Supabase, Vercel, Cloudflare, Google Cloud, Stripe) — please report issues with those services directly to their respective security teams.

How to Report

Please report security vulnerabilities via email to security@engagedlab.co.uk.

In your report, please include:

  • A description of the vulnerability and its potential impact
  • Detailed steps to reproduce the issue
  • Any proof-of-concept code or screenshots
  • The affected URL(s), endpoint(s), or component(s)
  • Your assessment of severity (Critical / High / Medium / Low)
  • Your name and contact details (for acknowledgment, if desired)

If you wish to encrypt your report, please contact us first at the email above to arrange a PGP key exchange.

Our Commitment

  • Acknowledgment: We will acknowledge receipt of your report within 2 business days.
  • Assessment: We will provide an initial severity assessment within 5 business days.
  • Resolution: We aim to resolve critical vulnerabilities within 72 hours, high severity within 14 days, and others within 30 days.
  • Communication: We will keep you informed of our progress and notify you when the issue is resolved.
  • Credit: With your permission, we will acknowledge your contribution on our Security Acknowledgments page.

Safe Harbour

If you conduct security research in accordance with this policy, we consider your research to be:

  • Authorised under the Computer Misuse Act 1990
  • Exempt from restrictions in our Terms of Service that would otherwise prohibit security testing
  • Lawful, helpful, and conducted in good faith

We will not pursue legal action against researchers who follow this policy. If a third party initiates legal action against you for research conducted under this policy, we will make this authorisation known.

Rules of Engagement

To protect our users, we ask that researchers:

  • Do not access, modify, or delete data belonging to other users
  • Do not perform denial-of-service (DoS) attacks
  • Do not send unsolicited messages to users (phishing, spam, etc.)
  • Do not publicly disclose the vulnerability before it has been resolved
  • Do make every effort to avoid degrading the user experience
  • Do only interact with accounts you own or have explicit permission to test
  • Do stop testing and report immediately if you encounter user data

Qualifying Vulnerabilities

Examples of vulnerabilities we are interested in:

  • Authentication bypass or privilege escalation
  • SQL injection, NoSQL injection, or command injection
  • Cross-site scripting (XSS) or cross-site request forgery (CSRF)
  • Server-side request forgery (SSRF)
  • Insecure direct object references (IDOR)
  • Exposure of sensitive data (PII, credentials, API keys)
  • LTI 1.3 security issues (token replay, JWKS bypass, grade manipulation)
  • Broken access control or RLS bypass
  • Cryptographic weaknesses

Contact