No out-of-scope targets listed.
Disclosure Policy
Kashimari Ideal School & College (KISC) values the security research community's help in keeping our website and student data safe. As an educational institution serving minors, we take any potential exposure of student or staff personal information extremely seriously.
Guidelines
- Do test only against your own account or publicly accessible pages.
- Do report vulnerabilities as soon as they are discovered.
- Do not access, download, modify, or delete any student, staff, or parent data that does not belong to you.
- Do not use automated scanners or tools that could disrupt the website for students, parents, or staff trying to access notices or results.
- Do not attempt social engineering, phishing, or physical access attempts against school staff or students.
- Do not publicly disclose any vulnerability before we have had reasonable time to fix it, especially if it involves exposure of personal or academic data.
Special Note on Student Data
If you discover any exposure of student records, results, personal identification information, or similar sensitive data, please report it to us immediately and do not download, store, or share any of that data, even temporarily. Treat any accidental access to such data as the end of testing in that area.
What We Expect
- A clear description of the vulnerability and steps to reproduce it.
- The impact and potential risk to students, staff, or the institution.
- Any proof-of-concept material, with personal data redacted wherever possible.
What You Can Expect
- Acknowledgement of your report as soon as possible (response times may be slower than a typical company, since this is a small institution).
- A transparent process as we work with our technical support team to fix the issue.
- Recognition on our Hall of Fame page for valid first reports.
- No monetary rewards — this is a recognition-only program.
Safe Harbor
We will not pursue legal action against researchers who discover and report vulnerabilities in good faith, in accordance with this policy. We consider such activity authorized.
Out of Scope
- Notice/result PDF and image content itself (not a vulnerability).
- Government or third-party board result systems linked from our site (e.g., education board portals) — these are not ours to authorize testing on.
- Missing security headers with no demonstrated direct impact.
- Theoretical issues without a working proof of concept.
- Self-XSS or issues requiring physical access to a victim's device.