Skip to main content

Security Policy

Last updated: December 19, 2025

Reporting a Vulnerability

We take security seriously at SkillsArea. If you discover a security vulnerability, we appreciate your help in disclosing it to us in a responsible manner.

This policy outlines how to report security vulnerabilities and what you can expect from us in return.

How to Report

Email Us

Send your report to: [email protected]

Do NOT

  • Create a public GitHub issue
  • Disclose the vulnerability publicly until we've addressed it
  • Access or modify data beyond what's necessary to demonstrate the vulnerability

What to Include in Your Report

To help us understand and address the vulnerability quickly, please include:

  • A clear description of the vulnerability
  • Steps to reproduce the issue
  • The potential impact of the vulnerability
  • Any suggested fix or mitigation (if you have one)
  • Your contact information (so we can reach out if we need clarification)

Our Commitment

When you report a security vulnerability responsibly, we commit to:

Acknowledge receipt within 48 hours of your report

Provide regular updates on our progress in addressing the issue

Notify you when the vulnerability has been fixed

Credit you in our security acknowledgements page (if you wish)

Scope

In Scope

We welcome reports about the following types of vulnerabilities:

  • Web application vulnerabilities (XSS, SQL injection, CSRF, etc.)
  • Authentication and authorization issues
  • Data exposure vulnerabilities
  • API security issues
  • Server configuration issues
  • Other security-related bugs

Out of Scope

The following are not considered security vulnerabilities:

  • Social engineering attacks
  • Physical security issues
  • Denial of service (DoS) attacks
  • Issues requiring physical access to a user's device
  • Spam or phishing attempts
  • Issues in third-party services we use
  • Self-XSS (cross-site scripting that only affects yourself)

Safe Harbor

We will not pursue legal action against security researchers who:

  • Act in good faith and in accordance with this policy
  • Do not access or modify data beyond what's necessary to demonstrate the vulnerability
  • Do not disrupt our services or cause harm to our users
  • Report vulnerabilities responsibly and allow us reasonable time to fix them
  • Do not publicly disclose the vulnerability before we've had a chance to address it

Note: This safe harbor applies only to security research activities that are conducted in accordance with this policy. Any activities that go beyond this scope may be subject to legal action.

Response Timeline

Initial Response

Within 48 hours

Status Update

Within 7 days

Resolution

Depends on severity (typically 30-90 days)

We understand that some vulnerabilities may take longer to fix, especially if they require significant architectural changes. We will keep you informed of our progress throughout the process.

Questions?

If you have any questions about this security policy or the reporting process, please don't hesitate to contact us:

[email protected]

Thank you for helping keep SkillsArea secure!

Your responsible disclosure helps protect our users and our platform.