Please note: We do not offer rewards for submissions. All vulnerability reporting is voluntary.
At TheLeap we take cybersecurity seriously and value the contributions of the security community at large. The responsible disclosure of potential issues helps us ensure the security and privacy of our course creators, students, and our data. If you believe you’ve found a security issue in one of our products, please email [email protected] and include the following details with your report:
- A description of the issue and where it is located.
- A description of the steps required to reproduce the issue.
Please note that this should not be construed as encouragement or permission to perform any of the following activities:
- Hack, penetrate, or otherwise attempt to gain unauthorized access to Thinkific applications, systems, or data in violation of applicable law;
- Download, copy, disclose or use any proprietary or confidential Thinkific data, including customer data;
- Adversely impact TheLeap or the operation of TheLeap applications or systems.
TheLeap does not waive any rights or claims with respect to such activities.
All vulnerabilities received by our team are reviewed and prioritized based on severity. For all other security inquiries, please contact us at [email protected].
Out of scope vulnerabilities
- UI and UX bugs and spelling mistakes.
- Vulnerabilities related to third parties (e.g. HubSpot, WP Engine) that have no impact on TheLeap services or data.
- Policies on presence/absence of SPF/DMARC records.
- Logout Cross-Site Request Forgery.
- Attacks requiring physical access to a user’s device.
- Denials of service attempts and rate limit threshold testing.
- Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves vulnerable.
- Social engineering of our employees or clients.
- Presence of autocomplete attribute on web forms.
- Missing cookie flags on non-sensitive cookies.
- Missing security headers which do not lead directly to a vulnerability.
- Host header Injection
- WordPress REST endpoints disclosing public information
- WordPress cron and admin endpoints exposed but non-exploitable
- Reports from automated tools or scans that haven’t been manually validated.
- Information disclosure including origin IPs. Presence of banner or version information unless correlated with a vulnerable version.
Thank you for helping us keep TheLeap course creators, students, and our data safe.