Cywer Learning Bug Bounty Program

Introduction

At Cywer Learning, we are committed to maintaining the security of our platforms, applications, and services. Protecting our learners, partners, and community is our highest priority, and we greatly value the contributions of security researchers who help us identify and fix vulnerabilities.

This Bug Bounty Program outlines the process and guidelines for responsibly reporting security vulnerabilities related to Cywer Learning’s ecosystem. By collaborating with the security community, we aim to strengthen our defenses and ensure a safer experience for everyone.

If you discover a potential security vulnerability in any of our systems or services, we encourage you to report it in accordance with this program. Our security team will review, validate, and address reported issues promptly.

While we do not provide monetary rewards or financial compensation, eligible and valid submissions will be recognized in our Cywer Learning Security Hall of Fame (HOF) as a token of appreciation for helping us improve security.

Guidelines

Do not break any laws, rules, or regulations.
Avoid Denial of Service (DoS/DDoS) attacks or resource exhaustion.
Do not use destructive or invasive scanning tools.
No spam, phishing, or social engineering against employees/contractors.
Do not modify or delete any data in our systems.
No attacks against physical properties or data centers.
No demands for financial compensation.

Non-exploitable or low-impact issues (like missing headers) are welcome, but may be treated with lower priority.

Out-of-Scope Vulnerabilities

Clickjacking without sensitive actions
No Rate Limit OR Any type of Password Policy & DDOS
Any header Missing OR Automatic Report
CSRF on non-sensitive or unauthenticated forms
Issues requiring MITM or physical access
Known vulnerable libraries without a working PoC
CSV injection without demonstrable impact
SSL/TLS best practices only
DoS-related vulnerabilities
Content spoofing/text injection without HTML/CSS modification
Brute force or rate-limit issues on non-auth endpoints
Basic CSP, cookie flag, or SPF/DKIM/DMARC issues
Vulnerabilities only affecting outdated browsers
Software version disclosures, banner info, stack traces
Tabnabbing
Open Redirect (unless additional impact proven)

Procedure for Reporting

If you discover a potential vulnerability, please send your report to: contact@cywerlearning.com

We will acknowledge your submission within 10 business days. Critical issues will be prioritized and aimed to be resolved within two weeks. Please provide sufficient details such as:

The vulnerable endpoint, URL, or affected product/version.
A short description of the vulnerability type (e.g., XSS, SQLi).
Steps to reproduce (non-destructive PoC preferred).

Please avoid violating privacy, destroying data, or interrupting services when testing.

Hall of Fame (HOF)

Valid reports will earn recognition in our Cywer Learning Security Hall of Fame. While no monetary rewards are provided, your contribution ensures a safer learning ecosystem for our global community.

"Together, we build a safer cyberspace."

2025

Pathan Aslam :- Linkedin
Shahadat Fahim :- Linkedin
Vedant Tanaji vhatkar :- Linkedin
Vikash Bharti :- Linkedin