How to report
Email security reports to security@verbalcheck.com. Include reproduction steps, affected URLs or accounts, impact, screenshots or logs where appropriate, and suggested remediation if available.
Expected handling
- VerbalCheck targets an initial response within 48 hours.
- Reports are triaged based on exploitability, data sensitivity, affected users, and operational impact.
- Confirmed issues are remediated according to severity and deployment risk.
- Public disclosure should not occur until VerbalCheck has had a reasonable opportunity to investigate and remediate.
Research boundaries
- Do not access, modify, delete, exfiltrate, or disclose real student, instructor, or institutional data.
- Do not disrupt production availability, degrade service, or perform denial-of-service testing.
- Do not use social engineering, phishing, physical attacks, or attacks against VerbalCheck employees, customers, or vendors.