Proctorio is a comprehensive remote proctoring service offering identity verification and exam-proctoring services to more than 4,000 higher education, K-12, corporate, and federal institutions around the world, proctoring more than 30 million exams in 2021 alone. Proctorio’s browser extension integrates with most commonly used Learning Management Systems (LMS) and third-party assessment platforms.

Proctorio’s solution offers a suite of Lock Down, Recording, and Verification options, which gives exam administrators the ability to customize exams for their needed level of security. Proctorio has the lowest bandwidth requirements in the industry, and prioritizes user privacy and security through the use of end-to- end encryption.

At Proctorio, safeguarding the integrity and security of online assets remains a paramount objective, acknowledging the dynamic landscape of cybersecurity threats. Demonstrating the commitment to fostering a secure digital environment, Proctorio extends invitations to proficient cybersecurity professionals and ethical hackers to collaborate on fortifying digital infrastructure through this Bug Bounty Program.

Out of scope targets:

Anything outside of the explicitly approved testing scope is out of scope, including the following:

• https://github.com/proctorio

General Rules:

• Testing is only authorized on the targets listed as Testing scope.
• Any domain/property/database/IP address of Proctorio not listed in the Testing scope section is strictly out of scope.
• Avoid privacy violations, destruction of data, and interruption or degradation of Proctorio’s services.
• Only interact with accounts you own.
• Findings must be exact, and the Bug Bounty Reports must contain the steps to follow to reproduce the issue. Attachments such as screenshots or Proof of Concept Code are highly recommended.
• Rewards or recognition will not be awarded if our security team cannot reproduce and verify a Finding.
• You must be the first person to report a valid Finding ('duplicate' reports will not be rewarded).
• The use of not allowed Third-Party Systems, Third-Party Software and/or automated scanners are prohibited.
• Proctorio requests that Bounty Hunters do not perform automated/scripted testing of web forms, especially "Contact Us" forms.
• If you find the same Vulnerability several times, please report only one Finding. Multiple Vulnerabilities caused by one underlying issue will be awarded one bounty.
• You must not be a former or current employee of Proctorio or one of its subcontractors.

Assumptions and Limitations

Strictly prohibited:

• Denial of Service (DoS) and Distributed Denial of Service (DDoS) based attacks
• Non-technical attacks such as social engineering or phishing, vishing, smishing
• Physical security attacks
• Password cracking attempts (brute-forcing, rainbow table attacks, wordlist substitution, etc.)

Out of scope issues:

• Open ports without an accompanying proof-of-concept demonstrating vulnerability
• Design flaws and best practices that do not lead to security vulnerabilities
• Weak/expired SSL configurations
• Vulnerabilities affecting users of outdated browsers
• Missing security best practices and controls (lack of CSRF protection, missing HttpOnly or secure flags on cookies, missing XSS-Protection HTTP header)
• Self XSS
• Software version disclosure
• Lack of strong password policy
• Internal IP disclosure
• Rate-limiting issues
• Lack of captcha's or other spam-preventing mechanisms
• Content spoofing and text injection issues
• User Enumeration
• Open redirects
• Clickjacking on pages with no sensitive actions
• DNS server misconfiguration, lack of DNS CAA, and DNS-related configurations
• Absence of SPF / DKIM / DMARC records
• Mixed content warnings

Incident Handling and Response:

You, as Bounty Hunter must report any suspicious, unintentional or unwanted activities and security events you may find in the environment to [email protected].

Proctorio reserves the right to terminate and/or suspend the Program or revoke any Bounty Hunter’s authorization if a security incident occurs in the environment.

Public Disclosure:

Before disclosing an issue publicly, we require that you first request permission from us (using [email protected] email address). Proctorio will process requests for public disclosure on a per report basis.

Any Bounty Hunter found publicly disclosing reported vulnerabilities without Proctorio's written consent will be sanctioned.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Proctorio and our users safe!