To ensure the health of the codebase and the larger Open edX and Tutor communities, please do not create GitHub issues for a security vulnerability. Report any security vulnerabilities or concerns by sending an email to [email protected]. To ensure a timely triage and fix of the security issue, include as many details you can when reporting the vulnerability. Some pieces of information to consider:

• The nature of the vulnerability, e.g.
  • Authentication and Authorization
  • Data Integrity and Confidentiality
  • Security Configurations
  • Third-party dependencies
• The impact of the security risk
• A detailed description of the steps necessary to reproduce the issue
• The links to the vulnerable code
• The links to third-party libraries/packages if the vulnerability is present in such a dependency.

Edly/Tutor does not offer a bug bounty for reported vulnerabilities.