Bug Disclosures

We practice responsible disclosure and publicly document security issues resolved in our products. Below you will find a timeline of disclosures with technical detail, impact, and remediation notes.

Safe Harbor
Coordinated Disclosure
Transparency
Disclosure PolicyReport a Vulnerability
Total Disclosures
2
Average CVSS
7.3
Resolved
2
High/Critical
1
Medium
Password reset endpoint lacked per-account rate limiting
12/12/2024 • CVSS 6.5
An attacker could attempt password reset for a known email repeatedly, potentially enabling enumeration of valid accounts and causing inbox noise.
Resolved
Rate Limiting
Enumeration
by Alex Thompson
View Details
High
Cross-tenant access control bypass via mis-scoped API token
11/5/2024 • CVSS 8.2
An authenticated user with a scoped API token could enumerate and access limited metadata of sessions belonging to another tenant by manipulating the organizationId parameter.
Resolved
Authorization
Multi-tenant
by Nina Patel
View Details
Disclosure Policy
Our program guidelines for responsible security research and reporting

We value security researchers and the responsible disclosure of vulnerabilities. We commit to timely acknowledgment, transparent triage, and safe-harbor for good-faith research.

In Scope
  • Training platform web app and APIs under cyberteam.com
  • Authentication, sessions, and payments workflows
  • Course/session enrollment and team collaboration features
Out of Scope
  • Denial of service (network/volumetric)
  • Social engineering and phishing against staff or students
  • Third-party services not owned or operated by CyberTeam
  • Missing SPF/DMARC/BIMI or email best practices
  • Clickjacking on pages with no sensitive actions
Safe Harbor

If you make a good-faith effort to comply with this policy during your research, we will not initiate legal action against you. Do not access, modify, or exfiltrate data you do not own.

Testing Guidelines
  • Use test accounts where possible; avoid impacting real users
  • Limit automated scanning and respect rate limits
  • Do not attempt data destruction or service disruption
  • Stop testing immediately if you encounter user data and report details confidentially
Report a Vulnerability
How to reach us securely
Email: security@cyberteam.com
PGP available on request
Suggested Template
  • Summary & impact
  • Steps to reproduce
  • Affected URLs/endpoints
  • Proof-of-concept (redact secrets)
  • Mitigation ideas
Response Targets
  • Acknowledge within 2 business days
  • Triage within 5 business days
  • Fix ETA communicated for High/Critical
Email Security Team