Kashimari Ideal School & College VDP Bug Bounty Program

Kashimari Ideal School & College (KISC) is committed to protecting the privacy and safety of our students, staff, and families. This Vulnerability Disclosure Program covers our official website, student/staff login portal, and notice/result publishing systems. We welcome reports from security researchers acting in good faith and will publicly recognize valid findings. This is a non-commercial educational institution with no monetary reward budget.

In scope

Type	Target	Max severity
🌐 url	`https://kisc.edu.bd`	Critical
🌐 url	`https://kisc.edu.bd/login`	Critical
🌐 url	`https://kisc.edu.bd/NoticeUpload/*`	High
🌐 url	`https://kisc.edu.bd/OnlineAdmission`	Medium

Out of scope

No out-of-scope targets listed.

Disclosure policy

Disclosure Policy

Kashimari Ideal School & College (KISC) values the security research community's help in keeping our website and student data safe. As an educational institution serving minors, we take any potential exposure of student or staff personal information extremely seriously.

Guidelines

Do test only against your own account or publicly accessible pages.
Do report vulnerabilities as soon as they are discovered.
Do not access, download, modify, or delete any student, staff, or parent data that does not belong to you.
Do not use automated scanners or tools that could disrupt the website for students, parents, or staff trying to access notices or results.
Do not attempt social engineering, phishing, or physical access attempts against school staff or students.
Do not publicly disclose any vulnerability before we have had reasonable time to fix it, especially if it involves exposure of personal or academic data.

Special Note on Student Data

If you discover any exposure of student records, results, personal identification information, or similar sensitive data, please report it to us immediately and do not download, store, or share any of that data, even temporarily. Treat any accidental access to such data as the end of testing in that area.

What We Expect

A clear description of the vulnerability and steps to reproduce it.
The impact and potential risk to students, staff, or the institution.
Any proof-of-concept material, with personal data redacted wherever possible.

What You Can Expect

Acknowledgement of your report as soon as possible (response times may be slower than a typical company, since this is a small institution).
A transparent process as we work with our technical support team to fix the issue.
Recognition on our Hall of Fame page for valid first reports.
No monetary rewards — this is a recognition-only program.

Safe Harbor

We will not pursue legal action against researchers who discover and report vulnerabilities in good faith, in accordance with this policy. We consider such activity authorized.

Out of Scope

Notice/result PDF and image content itself (not a vulnerability).
Government or third-party board result systems linked from our site (e.g., education board portals) — these are not ours to authorize testing on.
Missing security headers with no demonstrated direct impact.
Theoretical issues without a working proof of concept.
Self-XSS or issues requiring physical access to a victim's device.

Publicly disclosed reports

No reports have been publicly disclosed yet.

Reports

0

Accept rate

0%

Avg response

—

Avg payout

—

Reports by month

Severity breakdown

Total paid out

$0