Version 1.0

Last Updated: April 2, 2025

At TutorKids.co.uk, we prioritize the security and privacy of our students, tutors, and parents. We appreciate and encourage responsible security research that helps identify and fix potential vulnerabilities. This policy outlines how researchers can help us keep our users safe and how we commit to working with the security community.

Our Commitment to Security Researchers

If you act in good faith and follow the guidelines set out in this policy:

·        We will not pursue legal action against you.

·        We will work with you to understand, verify, and fix the reported vulnerability.

·        We will acknowledge your contribution publicly (e.g., in our Security Researcher Hall of Fame).

·        At our discretion, we may offer a reward (voucher or monetary) based on the impact and severity of your finding, particularly for valid P1 to P3 vulnerabilities per Bugcrowd’s Vulnerability Rating Taxonomy.

Scope of Testing

The following assets are in scope for vulnerability research:

·        https://tutorkids.co.uk/ (main platform)

·        https://admin.tutorkids.co.uk/ (admin interface)

·        iOS and Android apps (if available)

We are especially concerned with vulnerabilities that may affect:

·        Student safety and data privacy

·        Tutor account security and verification systems

·        Payment and personal data handling

·        Communication systems (chat, video)

Out-of-Scope Activities

To protect user experience and system availability, please do not test or report on:

·        Denial of Service (DoS/DDoS)

·        Social engineering or phishing attacks

·        Physical access exploits

·        Spam or email header misconfigurations (e.g., SPF, DKIM, DMARC)

·        Automated scans producing excessive traffic

·        UI/UX issues or spelling/grammar bugs

·        Data scraping

Any services hosted or managed by third-party providers are also out of scope.

Responsible Testing Guidelines

Please ensure that all testing:

·        Is non-destructive (no deletion, modification, or corruption of data)

·        Respects user privacy and avoids accessing user accounts or data without permission

·        Is limited to accounts you have created

·        Does not disrupt live sessions, payment services, or admin functions

·        Involves no more than two accounts

·        Uses only tools you are authorized to run (get approval for automated scanners)

How to Report a Vulnerability

Please report all vulnerabilities by emailing:

📧 security@tutorkids.co.uk

Include:

·        A clear description of the vulnerability and where it occurs

·        Steps to reproduce it (screenshots, scripts, screen recordings)

·        The potential impact (e.g., data leak, privilege escalation)

·        Severity rating (e.g., P1–P5 as per Bugcrowd guidelines)

·        Your name or handle (if you wish to be credited)

If you’d like to encrypt your report, we will provide our PGP key upon request.

Global Inclusivity Notice

While we maintain international security standards, we especially encourage security researchers from Nigeria, other African countries, and the global south to participate in strengthening our platform’s security.

We are committed to fostering inclusive and collaborative cyber practices that reflect the diversity of our users and developers.



Final Notes

·        TutorKids reserves the right to revise this policy at any time.

·        Public disclosure of vulnerabilities should be delayed until after we confirm resolution, ideally after 90 days.

·        Vulnerabilities reported outside the guidelines may not receive acknowledgment or rewards.