Back to Compliance Portal

Compliance document

Vulnerability Disclosure Policy

Instructions for responsibly reporting suspected VerbalCheck security vulnerabilities.

Status

Published policy

Effective date

June 2026

Audience

Security researchers, institutional IT teams, and customer security reviewers

How to report

Email security reports to security@verbalcheck.com. Include reproduction steps, affected URLs or accounts, impact, screenshots or logs where appropriate, and suggested remediation if available.

Expected handling

  • VerbalCheck targets an initial response within 48 hours.
  • Reports are triaged based on exploitability, data sensitivity, affected users, and operational impact.
  • Confirmed issues are remediated according to severity and deployment risk.
  • Public disclosure should not occur until VerbalCheck has had a reasonable opportunity to investigate and remediate.

Research boundaries

  • Do not access, modify, delete, exfiltrate, or disclose real student, instructor, or institutional data.
  • Do not disrupt production availability, degrade service, or perform denial-of-service testing.
  • Do not use social engineering, phishing, physical attacks, or attacks against VerbalCheck employees, customers, or vendors.