Found a bug? Tell us.
We take the security of student and family data seriously. This page describes how to report vulnerabilities and what you can expect in return. Last updated May 19, 2026.
Email security@dismissal.ai.
Include enough detail for us to reproduce: a description, the URL or component affected, steps to reproduce, and the impact you believe it has. We answer security mail in person, not through a form.
- Security contact
- security@dismissal.ai
- Acknowledgement
- Within 2 business days
- Initial assessment
- Within 5 business days
- security.txt
- /.well-known/security.txt
What's in scope, and what isn't.
In scope
dismissal.aiand subdomains- The Dismissal admin portal and guardian portal web applications
- Public APIs reachable from the above
Out of scope
- Denial-of-service (DoS or DDoS) attacks against production systems
- Social engineering of Dismissal employees, school staff, or guardians
- Physical attacks against Dismissal facilities or deployed field hardware
- Attacks against third-party services we depend on — report those to the relevant vendor
- Reports based solely on automated scanner output without demonstrated impact
- Missing security headers, cookie flags, or SSL/TLS configurations without a demonstrated exploit
- Username or email enumeration on public endpoints
- Self-XSS or issues requiring physical access to a victim's unlocked device
- Vulnerabilities in unsupported or end-of-life browsers
When you report in good faith, here's what you get.
Acknowledged within 2 business days
From a real person, not an auto-reply.
Initial assessment within 5 business days
Of severity and validity, with reasoning.
Progress updates while remediation is underway
Every 5 business days at minimum, more often for critical issues.
Public credit if you want it
We'll happily credit you on our website and changelog, or decline to identify you if you'd prefer to remain anonymous.
No legal action for good-faith research
We will not pursue civil action or initiate a complaint to law enforcement for accidental, good-faith violations of this policy.
Authorized conduct under this policy.
We consider security research and vulnerability disclosure activities conducted consistent with this policy to be authorized conduct. To qualify for safe harbor, you must:
Avoid harm
Make a good-faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
Stay in your own lane
Only interact with accounts you own or have explicit permission from the account holder to access. Do not access, modify, or delete data belonging to students, guardians, schools, or other users.
Take only the minimum
Do not exfiltrate any data beyond the minimum necessary to demonstrate the vulnerability.
Disclose responsibly
Report the vulnerability promptly and give us reasonable time to address it before public disclosure (we suggest 90 days).
Use the finding only to report it
Not for any other purpose.
Special note on student data.
Dismissal processes information about minors. If your research could touch student or family data, stop and contact us first at security@dismissal.ai to coordinate testing. We're glad to work with you on a safe testing approach.
Where we are today, and how we protect data.
Rewards
Dismissal does not currently operate a paid bug bounty program. We credit researchers publicly with their permission and may offer Dismissal-branded thanks for high-impact findings. We hope to introduce monetary rewards as the company grows.
Security practices in production
- TLS 1.2+ for all data in transit; encryption at rest
- Federated identity with role-based access controls
- Least-privilege defaults for administrative access
- Comprehensive audit logging of administrative actions
- Automated dependency updates and security scanning
- Documented subprocessor review (inventory available to district customers under DPA)
- 72-hour breach notification commitment in our DPA
Detailed architecture, named subprocessors, and incident-response runbooks are released to district customers under DPA.
Not a vulnerability? Different inbox.
Security questionnaires, DPAs, certification status, and incident notifications go to privacy@ so the security@ inbox stays focused on real vulnerability reports.