[{"id":3756588,"new_policy":"At Khan Academy, we're a small, non-profit team trying to give a free, world-class education to anyone, anywhere.\n\nWe're committed to maintaining a safe website where student data is appropriately protected. If you've discovered a security issue in Khan Academy, we'd love to work with you. Please let us know about it and we'll fix the issue as soon as we can.\n\n# Guidelines\n- When conducting research, please ensure that your methods and report conform to the [HackerOne Code of Conduct](https://www.hackerone.com/policies/code-of-conduct).\n- If you need a Khan Academy account (or two) to test your vulnerability, create a new one; don't use another user's account.\n- To be considered a valid vulnerability, you must be able to demonstrate a way to negatively impact other users. Methods of changing your own experience - including granting yourself energy points - are not considered security issues. Non-security-related issues can be reported to our public bug tracker, hosted on Zendesk: https://support.khanacademy.org/.\n\n# Scope\nWe're interested in technical vulnerabilities in most *.khanacademy.org sites (see notes below) or in our official mobile apps ([iOS](https://itunes.apple.com/us/app/khan-academy/id469863705?mt=8), [Google Play](https://play.google.com/store/apps/details?id=org.khanacademy.android\u0026hl=en_US)).\n- Some parts of our site are hosted by third parties on subdomains (including [shop](https://shop.khanacademy.org/), [life](https://life.khanacademy.org/), and [crowdin](https://crowdin.khanacademy.org/)); we're less interested in these vulnerabilities unless they lead to a vulnerability in the main site.\n- Our Turkish language advocates run a site at http://www.khanacademy.org.tr/ -- this site is not officially run via Khan Academy and we are unable to resolve any issues with this site directly. If you report an issue with this site, we will attempt to forward the information appropriately and mark your report as informative.\n- https://support.khanacademy.org/ is operated by Zendesk. If you have a report related to this subdomain, please ensure it is a configuration problem (something we can address). If it's a general issue with the support site, it's best to report that directly to [Zendesk on HackerOne](https://hackerone.com/zendesk).\n\nIssues that only apply to [browsers we do not support](https://khanacademy.zendesk.com/hc/en-us/articles/204795660-Supported-browsers) are generally lower-priority, although we'll still accept more serious issues.\n\nIssues opened as a result of automated scanning tools and/or Large Language Model 'analysis' without a demonstrable user or system impact will typically be closed. The hacker should take what they learn from scans / AI and turn it to something demonstrable and actionable. \n\nWe no longer accept reports regarding KaTeX, as it is community-maintained and we do not have direct ownership. Please file KaTeX issues on the [KaTeX project on Github](https://github.com/KaTeX/KaTeX/issues).\n\n# Notes \u0026 Exclusions\n- Our [computer programming section](https://www.khanacademy.org/computing/cs) intentionally allows the execution of user-provided JavaScript, but execution is sandboxed to an iframe on a different domain (kasandbox.org); running arbitrary JS within the iframe is not considered a vulnerability unless it leads to another attack.\n- Many of our endpoints have very lenient or absent rate-limiting. This is because Khan Academy is used in many schools that are configured to have hundreds or thousands of computers behind one IP address. That means routes such as `/forgotpw` have a very lenient rate limit, though it does exist. We take other steps to detect and mitigate from brute force attacks.\n- Please note that we do expire sessions after actions you'd expect for this to happen, such as changing your password. However, it can take up to 5 minutes to propagate the expiration to every session. Rest assured that sensitive account actions are protected during this time with a re-authentication requirement. Please wait at least 5 minutes before re-testing any session expiration that you expect.\n- Several of our internal services, including our [mobile build server](https://mobile-ci.khanacademy.org/), deliberately have some public parts.  This is intentional and we don't consider it a vulnerability unless you can use it to compromise the main site.\n- We generally only consider spoofing an email that appears to be sent from khanacademy.org as an issue if you can point to specific settings (e.g. SPF records) that aren't configured correctly to prevent it; other reports are generally too client-dependent and difficult to reproduce to be actionable.\n- We are not currently planning to implement DNSSEC. In particular, this won't affect the majority of our users with clients that are not using DNSSEC, see for instance: https://bugs.chromium.org/p/chromium/issues/detail?id=50874#c22\n- https://blog.khanacademy.org/ has xmlrpc.php enabled. Because this is a known attack vector, we have several protections in place against attacks based on xmlrpc. Please do not report any vulnerability unless you can demonstrate it with a proof-of-concept. Denial-of-service reports related to xmlrpc will be closed.\n\n# Thanks\nWe believe in recognizing the work of others. If your work helps us improve the security of our website, we'd be happy to acknowledge your work in our [Hall of Fame](https://hackerone.com/khanacademy/thanks) and to make you the proud owner of a [Friendly Hacker](https://www.khanacademy.org/badges/friendly-hacker) badge on Khan Academy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-29T19:54:16.437Z"},{"id":3684853,"new_policy":"At Khan Academy, we're a small, non-profit team trying to give a free, world-class education to anyone, anywhere.\n\nWe're committed to maintaining a safe website where student data is appropriately protected. If you've discovered a security issue in Khan Academy, we'd love to work with you. Please let us know about it and we'll fix the issue as soon as we can.\n\n# Guidelines\n- When conducting research, please ensure that your methods and report conform to the [HackerOne Code of Conduct](https://www.hackerone.com/policies/code-of-conduct).\n- If you need a Khan Academy account (or two) to test your vulnerability, create a new one; don't use another user's account.\n- To be considered a valid vulnerability, you must be able to demonstrate a way to negatively impact other users. Methods of changing your own experience - including granting yourself energy points - are not considered security issues. Non-security-related issues can be reported to our public bug tracker, hosted on Zendesk: https://support.khanacademy.org/.\n\n# Scope\nWe're interested in technical vulnerabilities in most *.khanacademy.org sites (see notes below) or in our official mobile apps ([iOS](https://itunes.apple.com/us/app/khan-academy/id469863705?mt=8), [Google Play](https://play.google.com/store/apps/details?id=org.khanacademy.android\u0026hl=en_US)).\n- Some parts of our site are hosted by third parties on subdomains (including [shop](https://shop.khanacademy.org/), [life](https://life.khanacademy.org/), and [crowdin](https://crowdin.khanacademy.org/)); we're less interested in these vulnerabilities unless they lead to a vulnerability in the main site.\n- Our Turkish language advocates run a site at http://www.khanacademy.org.tr/ -- this site is not officially run via Khan Academy and we are unable to resolve any issues with this site directly. If you report an issue with this site, we will attempt to forward the information appropriately and mark your report as informative.\n- https://support.khanacademy.org/ is operated by Zendesk. If you have a report related to this subdomain, please ensure it is a configuration problem (something we can address). If it's a general issue with the support site, it's best to report that directly to [Zendesk on HackerOne](https://hackerone.com/zendesk).\n\nIssues that only apply to [browsers we do not support](https://khanacademy.zendesk.com/hc/en-us/articles/204795660-Supported-browsers) are generally lower-priority, although we'll still accept more serious issues.\n\nWe no longer accept reports regarding KaTeX, as it is community-maintained and we do not have direct ownership. Please file KaTeX issues on the [KaTeX project on Github](https://github.com/KaTeX/KaTeX/issues).\n\n# Notes \u0026 Exclusions\n- Our [computer programming section](https://www.khanacademy.org/computing/cs) intentionally allows the execution of user-provided JavaScript, but execution is sandboxed to an iframe on a different domain (kasandbox.org); running arbitrary JS within the iframe is not considered a vulnerability unless it leads to another attack.\n- Many of our endpoints have very lenient or absent rate-limiting. This is because Khan Academy is used in many schools that are configured to have hundreds or thousands of computers behind one IP address. That means routes such as `/forgotpw` have a very lenient rate limit, though it does exist. We take other steps to detect and mitigate from brute force attacks.\n- Please note that we do expire sessions after actions you'd expect for this to happen, such as changing your password. However, it can take up to 5 minutes to propagate the expiration to every session. Rest assured that sensitive account actions are protected during this time with a re-authentication requirement. Please wait at least 5 minutes before re-testing any session expiration that you expect.\n- Several of our internal services, including our [mobile build server](https://mobile-ci.khanacademy.org/), deliberately have some public parts.  This is intentional and we don't consider it a vulnerability unless you can use it to compromise the main site.\n- We generally only consider spoofing an email that appears to be sent from khanacademy.org as an issue if you can point to specific settings (e.g. SPF records) that aren't configured correctly to prevent it; other reports are generally too client-dependent and difficult to reproduce to be actionable.\n- We are not currently planning to implement DNSSEC. In particular, this won't affect the majority of our users with clients that are not using DNSSEC, see for instance: https://bugs.chromium.org/p/chromium/issues/detail?id=50874#c22\n- https://blog.khanacademy.org/ has xmlrpc.php enabled. Because this is a known attack vector, we have several protections in place against attacks based on xmlrpc. Please do not report any vulnerability unless you can demonstrate it with a proof-of-concept. Denial-of-service reports related to xmlrpc will be closed.\n\n# Thanks\nWe believe in recognizing the work of others. If your work helps us improve the security of our website, we'd be happy to acknowledge your work in our [Hall of Fame](https://hackerone.com/khanacademy/thanks) and to make you the proud owner of a [Friendly Hacker](https://www.khanacademy.org/badges/friendly-hacker) badge on Khan Academy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-15T17:48:26.660Z"},{"id":3681428,"new_policy":"At Khan Academy, we're a small, non-profit team trying to give a free, world-class education to anyone, anywhere.\n\nWe're committed to maintaining a safe website where student data is appropriately protected. If you've discovered a security issue in Khan Academy, we'd love to work with you. Please let us know about it and we'll fix the issue as soon as we can.\n\n# Scope\n- We're interested in technical vulnerabilities in any *.khanacademy.org website or in our official mobile apps ([iOS](https://itunes.apple.com/us/app/khan-academy/id469863705?mt=8), [Google Play](https://play.google.com/store/apps/details?id=org.khanacademy.android\u0026hl=en_US))\n- Our [computer programming section](https://www.khanacademy.org/computing/cs) intentionally allows the execution of user-provided JavaScript, but execution is sandboxed to an iframe on a different domain (kasandbox.org); running arbitrary JS within the iframe is not considered a vulnerability unless it leads to another attack\n- Parts of our website and infrastructure are [open source on GitHub](https://github.com/Khan)\n- If you need a Khan Academy account (or two) to test your vulnerability, create a new one; don't use another user's account\n\n# Notes \u0026 Exclusions\n- Some parts of our site are hosted by third parties on subdomains (including [shop](https://shop.khanacademy.org/), [life](https://life.khanacademy.org/), and [crowdin](https://crowdin.khanacademy.org/)); we're less interested in these vulnerabilities unless they lead to a vulnerability in the main site\n- Several of our internal services, including our [mobile build server](https://mobile-ci.khanacademy.org/), deliberately have some public parts.  This is intentional and we don't consider it a vulnerability unless you can use it to compromise the main site.\n- We generally only consider spoofing an email that appears to be sent from khanacademy.org as an issue if you can point to specific settings (e.g. SPF records) that aren't configured correctly to prevent it; other reports are generally too client-dependent and difficult to reproduce to be actionable.\n- Issues that only apply to [browsers we do not support](https://khanacademy.zendesk.com/hc/en-us/articles/204795660-Supported-browsers) are generally lower-priority although we'll still accept more serious issues.\n- Our Turkish language advocates run a site at http://www.khanacademy.org.tr/ -- this site is not officially run via Khan Academy and we are unable to resolve any issues with this site directly. If you report an issue with this site, we will attempt to forward the information appropriately and mark your report as informative.\n- We are not currently planning to implement DNSSEC. In particular, this won't affect the majority of our users with clients that are not using DNSSEC, see for instance: https://bugs.chromium.org/p/chromium/issues/detail?id=50874#c22\n- Please note that we do expire sessions after actions you'd expect for this to happen, such as changing your password. However, it can take up to 5 minutes to propagate the expiration to every session. Rest assured that sensitive account actions are protected during this time with a re-authentication requirement. Please wait at least 5 minutes before re-testing any session expiration that you expect.\n- Many of our endpoints have very lenient or absent rate-limiting. This is because Khan Academy is used in many schools that are configured to have hundreds or thousands of computers behind one IP address. That means routes such as `/forgotpw` have a very lenient rate limit, though it does exist. We take other steps to detect and mitigate from brute force attacks.\n- https://blog.khanacademy.org/ has xmlrpc.php enabled. Because this is a known attack vector, we have several protections in place against attacks based on xmlrpc. Please do not report any vulnerability unless you can demonstrate it with a proof-of-concept. Denial-of-service reports related to xmlrpc will be closed.\n- https://support.khanacademy.org/ is operated by Zendesk. If you have a report related to this subdomain, please ensure it is a configuration problem (something we can address). If it's a general issue with the support site, it's best to report that directly to [Zendesk on HackerOne](https://hackerone.com/zendesk)\n- We no longer accept reports regarding KaTeX, as it is community-maintained and we do not have direct ownership. Please file KaTeX issues on the [KaTeX project on Github](https://github.com/KaTeX/KaTeX/issues).\n\nTo be considered a valid vulnerability, you must be able to demonstrate a way to negatively impact other users. Methods of changing your own experience - including granting yourself energy points - are not considered security issues.\n\nNon-security-related issues can be reported to our public bug tracker, hosted on Zendesk: https://support.khanacademy.org/.\n\n# Thanks\nWe believe in recognizing the work of others. If your work helps us improve the security of our website, we'd be happy to acknowledge your work in our [Hall of Fame](https://hackerone.com/khanacademy/thanks) and to make you the proud owner of a [Friendly Hacker](https://www.khanacademy.org/badges/friendly-hacker) badge on Khan Academy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-12-20T21:39:29.397Z"},{"id":3681095,"new_policy":"At Khan Academy, we're a small, non-profit team trying to give a free, world-class education to anyone, anywhere.\n\nWe're committed to maintaining a safe website where student data is appropriately protected. If you've discovered a security issue in Khan Academy, we'd love to work with you. Please let us know about it and we'll fix the issue as soon as we can.\n\n# Scope\n- We're interested in technical vulnerabilities in any *.khanacademy.org website or in our official mobile apps ([iOS](https://itunes.apple.com/us/app/khan-academy/id469863705?mt=8), [Google Play](https://play.google.com/store/apps/details?id=org.khanacademy.android\u0026hl=en_US))\n- Our [computer programming section](https://www.khanacademy.org/computing/cs) intentionally allows the execution of user-provided JavaScript, but execution is sandboxed to an iframe on a different domain (kasandbox.org); running arbitrary JS within the iframe is not considered a vulnerability unless it leads to another attack\n- Parts of our website and infrastructure are [open source on GitHub](https://github.com/Khan)\n- If you need a Khan Academy account (or two) to test your vulnerability, create a new one; don't use another user's account\n\n# Notes \u0026 Exclusions\n- Some parts of our site are hosted by third parties on subdomains (including [life](https://life.khanacademy.org/) and [crowdin](https://crowdin.khanacademy.org/)); we're less interested in these vulnerabilities unless they lead to a vulnerability in the main site\n- Several of our internal services, including our [mobile build server](https://mobile-ci.khanacademy.org/), deliberately have some public parts.  This is intentional and we don't consider it a vulnerability unless you can use it to compromise the main site.\n- We generally only consider spoofing an email that appears to be sent from khanacademy.org as an issue if you can point to specific settings (e.g. SPF records) that aren't configured correctly to prevent it; other reports are generally too client-dependent and difficult to reproduce to be actionable.\n- Issues that only apply to [browsers we do not support](https://khanacademy.zendesk.com/hc/en-us/articles/204795660-Supported-browsers) are generally lower-priority although we'll still accept more serious issues.\n- Our Turkish language advocates run a site at http://www.khanacademy.org.tr/ -- this site is not officially run via Khan Academy and we are unable to resolve any issues with this site directly. If you report an issue with this site, we will attempt to forward the information appropriately and mark your report as informative.\n- We are not currently planning to implement DNSSEC. In particular, this won't affect the majority of our users with clients that are not using DNSSEC, see for instance: https://bugs.chromium.org/p/chromium/issues/detail?id=50874#c22\n- Please note that we do expire sessions after actions you'd expect for this to happen, such as changing your password. However, it can take up to 5 minutes to propagate the expiration to every session. Rest assured that sensitive account actions are protected during this time with a re-authentication requirement. Please wait at least 5 minutes before re-testing any session expiration that you expect.\n- Many of our endpoints have very lenient or absent rate-limiting. This is because Khan Academy is used in many schools that are configured to have hundreds or thousands of computers behind one IP address. That means routes such as `/forgotpw` have a very lenient rate limit, though it does exist. We take other steps to detect and mitigate from brute force attacks.\n- https://blog.khanacademy.org/ has xmlrpc.php enabled. Because this is a known attack vector, we have several protections in place against attacks based on xmlrpc. Please do not report any vulnerability unless you can demonstrate it with a proof-of-concept. Denial-of-service reports related to xmlrpc will be closed.\n- https://support.khanacademy.org/ is operated by Zendesk. If you have a report related to this subdomain, please ensure it is a configuration problem (something we can address). If it's a general issue with the support site, it's best to report that directly to [Zendesk on HackerOne](https://hackerone.com/zendesk)\n- We no longer accept reports regarding KaTeX, as it is community-maintained and we do not have direct ownership. Please file KaTeX issues on the [KaTeX project on Github](https://github.com/KaTeX/KaTeX/issues).\n\nTo be considered a valid vulnerability, you must be able to demonstrate a way to negatively impact other users. Methods of changing your own experience - including granting yourself energy points - are not considered security issues.\n\nNon-security-related issues can be reported to our public bug tracker, hosted on Zendesk: https://support.khanacademy.org/.\n\n# Thanks\nWe believe in recognizing the work of others. If your work helps us improve the security of our website, we'd be happy to acknowledge your work in our [Hall of Fame](https://hackerone.com/khanacademy/thanks) and to make you the proud owner of a [Friendly Hacker](https://www.khanacademy.org/badges/friendly-hacker) badge on Khan Academy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-12-13T16:37:20.996Z"},{"id":3677206,"new_policy":"At Khan Academy, we're a small, non-profit team trying to give a free, world-class education to anyone, anywhere.\n\nWe're committed to maintaining a safe website where student data is appropriately protected. If you've discovered a security issue in Khan Academy, we'd love to work with you. Please let us know about it and we'll fix the issue as soon as we can.\n\n# Scope\n- We're interested in technical vulnerabilities in any *.khanacademy.org website or in our official mobile apps ([iOS](https://itunes.apple.com/us/app/khan-academy/id469863705?mt=8), [Google Play](https://play.google.com/store/apps/details?id=org.khanacademy.android\u0026hl=en_US))\n- Our [computer programming section](https://www.khanacademy.org/computing/cs) intentionally allows the execution of user-provided JavaScript, but execution is sandboxed to an iframe on a different domain (kasandbox.org); running arbitrary JS within the iframe is not considered a vulnerability unless it leads to another attack\n- Parts of our website and infrastructure are [open source on GitHub](https://github.com/Khan)\n- If you need a Khan Academy account (or two) to test your vulnerability, create a new one; don't use another user's account\n\n# Notes \u0026 Exclusions\n- Some parts of our site are hosted by third parties on subdomains (including [life](https://life.khanacademy.org/) and [crowdin](https://crowdin.khanacademy.org/)); we're less interested in these vulnerabilities unless they lead to a vulnerability in the main site\n- Several of our internal services, including our [mobile build server](https://mobile-ci.khanacademy.org/), deliberately have some public parts.  This is intentional and we don't consider it a vulnerability unless you can use it to compromise the main site.\n- We generally only consider spoofing an email that appears to be sent from khanacademy.org as an issue if you can point to specific settings (e.g. SPF records) that aren't configured correctly to prevent it; other reports are generally too client-dependent and difficult to reproduce to be actionable.\n- Issues that only apply to [browsers we do not support](https://khanacademy.zendesk.com/hc/en-us/articles/204795660-Supported-browsers) are generally lower-priority although we'll still accept more serious issues.\n- Our Turkish language advocates run a site at http://www.khanacademy.org.tr/ -- this site is not officially run via Khan Academy and we are unable to resolve any issues with this site directly. If you report an issue with this site, we will attempt to forward the information appropriately and mark your report as informative.\n- We are not currently planning to implement DNSSEC. In particular, this won't affect the majority of our users with clients that are not using DNSSEC, see for instance: https://bugs.chromium.org/p/chromium/issues/detail?id=50874#c22\n- Please note that we do expire sessions after actions you'd expect for this to happen, such as changing your password. However, it can take up to 5 minutes to propagate the expiration to every session. Rest assured that sensitive account actions are protected during this time with a re-authentication requirement. Please wait at least 5 minutes before re-testing any session expiration that you expect.\n- Many of our endpoints have very lenient or absent rate-limiting. This is because Khan Academy is used in many schools that are configured to have hundreds or thousands of computers behind one IP address. That means routes such as `/forgotpw` have a very lenient rate limit, though it does exist. We take other steps to detect and mitigate from brute force attacks.\n- https://blog.khanacademy.org/ has xmlrpc.php enabled. Because this is a known attack vector, we have several protections in place against attacks based on xmlrpc. Please do not report any vulnerability unless you can demonstrate it with a proof-of-concept. Denial-of-service reports related to xmlrpc will be closed.\n- We no longer accept reports regarding KaTeX, as it is community-maintained and we do not have direct ownership. Please file KaTeX issues on the [KaTeX project on Github](https://github.com/KaTeX/KaTeX/issues).\n\nTo be considered a valid vulnerability, you must be able to demonstrate a way to negatively impact other users. Methods of changing your own experience - including granting yourself energy points - are not considered security issues.\n\nNon-security-related issues can be reported to our public bug tracker, Zendesk: https://khanacademy.zendesk.com.\n\n# Thanks\nWe believe in recognizing the work of others. If your work helps us improve the security of our website, we'd be happy to acknowledge your work in our [Hall of Fame](https://hackerone.com/khanacademy/thanks) and to make you the proud owner of a [Friendly Hacker](https://www.khanacademy.org/badges/friendly-hacker) badge on Khan Academy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-09-09T17:01:38.260Z"},{"id":3657970,"new_policy":"At Khan Academy, we're a small, non-profit team trying to give a free, world-class education to anyone, anywhere.\n\nWe're committed to maintaining a safe website where student data is appropriately protected. If you've discovered a security issue in Khan Academy, we'd love to work with you. Please let us know about it and we'll fix the issue as soon as we can.\n\n# Scope\n- We're interested in technical vulnerabilities in any *.khanacademy.org website or in our official mobile apps ([iOS](https://itunes.apple.com/us/app/khan-academy/id469863705?mt=8), [Google Play](https://play.google.com/store/apps/details?id=org.khanacademy.android\u0026hl=en_US))\n- Our [computer programming section](https://www.khanacademy.org/computing/cs) intentionally allows the execution of user-provided JavaScript, but execution is sandboxed to an iframe on a different domain (kasandbox.org); running arbitrary JS within the iframe is not considered a vulnerability unless it leads to another attack\n- Parts of our website and infrastructure are [open source on GitHub](https://github.com/Khan)\n- If you need a Khan Academy account (or two) to test your vulnerability, create a new one; don't use another user's account\n\n# Notes \u0026 Exclusions\n- Some parts of our site are hosted by third parties on subdomains (including [life](https://life.khanacademy.org/) and [crowdin](https://crowdin.khanacademy.org/)); we're less interested in these vulnerabilities unless they lead to a vulnerability in the main site\n- Several of our internal services, including our [mobile build server](https://mobile-ci.khanacademy.org/), deliberately have some public parts.  This is intentional and we don't consider it a vulnerability unless you can use it to compromise the main site.\n- We generally only consider spoofing an email that appears to be sent from khanacademy.org as an issue if you can point to specific settings (e.g. SPF records) that aren't configured correctly to prevent it; other reports are generally too client-dependent and difficult to reproduce to be actionable.\n- Issues that only apply to [browsers we do not support](https://khanacademy.zendesk.com/hc/en-us/articles/204795660-Supported-browsers) are generally lower-priority although we'll still accept more serious issues.\n- Our Turkish language advocates run a site at http://www.khanacademy.org.tr/ -- this site is not officially run via Khan Academy and we are unable to resolve any issues with this site directly. If you report an issue with this site, we will attempt to forward the information appropriately and mark your report as informative.\n- We are not currently planning to implement DNSSEC. In particular, this won't affect the majority of our users with clients that are not using DNSSEC, see for instance: https://bugs.chromium.org/p/chromium/issues/detail?id=50874#c22\n- Please note that we do expire sessions after actions you'd expect for this to happen, such as changing your password. However, it can take up to 5 minutes to propagate the expiration to every session. Rest assured that sensitive account actions are protected during this time with a re-authentication requirement. Please wait at least 5 minutes before re-testing any session expiration that you expect.\n- Many of our endpoints have very lenient or absent rate-limiting. This is because Khan Academy is used in many schools that are configured to have hundreds or thousands of computers behind one IP address. That means routes such as `/forgotpw` have a very lenient rate limit, though it does exist. We take other steps to detect and mitigate from brute force attacks.\n- https://blog.khanacademy.org/ has xmlrpc.php enabled. Because this is a known attack vector, we have several protections in place against attacks based on xmlrpc. Please do not report any vulnerability unless you can demonstrate it with a proof-of-concept. Denial-of-service reports related to xmlrpc will be closed.\n\nTo be considered a valid vulnerability, you must be able to demonstrate a way to negatively impact other users. Methods of changing your own experience - including granting yourself energy points - are not considered security issues.\n\nNon-security-related issues can be reported to our public bug tracker, Zendesk: https://khanacademy.zendesk.com.\n\n# Thanks\nWe believe in recognizing the work of others. If your work helps us improve the security of our website, we'd be happy to acknowledge your work in our [Hall of Fame](https://hackerone.com/khanacademy/thanks) and to make you the proud owner of a [Friendly Hacker](https://www.khanacademy.org/badges/friendly-hacker) badge on Khan Academy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-07T17:46:38.608Z"},{"id":3647857,"new_policy":"At Khan Academy, we're a small, non-profit team trying to give a free, world-class education to anyone, anywhere.\n\nWe're committed to maintaining a safe website where student data is appropriately protected. If you've discovered a security issue in Khan Academy, we'd love to work with you. Please let us know about it and we'll fix the issue as soon as we can.\n\n# Scope\n- We're interested in technical vulnerabilities in any *.khanacademy.org website or in our official mobile apps ([iOS](https://itunes.apple.com/us/app/khan-academy/id469863705?mt=8), [Google Play](https://play.google.com/store/apps/details?id=org.khanacademy.android\u0026hl=en_US))\n- Our [computer programming section](https://www.khanacademy.org/computing/cs) intentionally allows the execution of user-provided JavaScript, but execution is sandboxed to an iframe on a different domain (kasandbox.org); running arbitrary JS within the iframe is not considered a vulnerability unless it leads to another attack\n- Parts of our website and infrastructure are [open source on GitHub](https://github.com/Khan)\n- If you need a Khan Academy account (or two) to test your vulnerability, create a new one; don't use another user's account\n\n# Notes \u0026 Exclusions\n- Some parts of our site are hosted by third parties on subdomains (including [life](http://life.khanacademy.org/) and [crowdin](http://crowdin.khanacademy.org/)); we're less interested in these vulnerabilities unless they lead to a vulnerability in the main site\n- Several of our internal services, including our [mobile build server](https://mobile-ci.khanacademy.org/), deliberately have some public parts.  This is intentional and we don't consider it a vulnerability unless you can use it to compromise the main site.\n- We generally only consider spoofing an email that appears to be sent from khanacademy.org as an issue if you can point to specific settings (e.g. SPF records) that aren't configured correctly to prevent it; other reports are generally too client-dependent and difficult to reproduce to be actionable.\n- Issues that only apply to [browsers we do not support](https://khanacademy.zendesk.com/hc/en-us/articles/204795660-Supported-browsers) are generally lower-priority although we'll still accept more serious issues.\n- Our Turkish language advocates run a site at http://www.khanacademy.org.tr/ -- this site is not officially run via Khan Academy and we are unable to resolve any issues with this site directly. If you report an issue with this site, we will attempt to forward the information appropriately and mark your report as informative.\n- We are not currently planning to implement DNSSEC. In particular, this won't affect the majority of our users with clients that are not using DNSSEC, see for instance: https://bugs.chromium.org/p/chromium/issues/detail?id=50874#c22\n- Please note that the `ka_session` is not actually the session cookie we use for authentication; it's primarily for analytics purposes and is intentionally not marked as Secure.\n- Many of our endpoints have very lenient or absent rate-limiting. This is because Khan Academy is used in many schools that are configured to have hundreds or thousands of computers behind one IP address. That means routes such as `/forgotpw` have a very lenient rate limit, though it does exist. We take other steps to detect and mitigate from brute force attacks.\n- https://blog.khanacademy.org/ has xmlrpc.php enabled. Because this is a known attack vector, we have several protections in place against attacks based on xmlrpc. Please do not report any vulnerability unless you can demonstrate it with a proof-of-concept. Denial-of-service reports related to xmlrpc will be closed.\n\nTo be considered a valid vulnerability, you must be able to demonstrate a way to negatively impact other users. Methods of changing your own experience - including granting yourself energy points - are not considered security issues.\n\nNon-security-related issues can be reported to our public bug tracker, Zendesk: https://khanacademy.zendesk.com.\n\n# Thanks\nWe believe in recognizing the work of others. If your work helps us improve the security of our website, we'd be happy to acknowledge your work in our [Hall of Fame](https://hackerone.com/khanacademy/thanks) and to make you the proud owner of a [Friendly Hacker](https://www.khanacademy.org/badges/friendly-hacker) badge on Khan Academy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-01-19T23:19:59.695Z"},{"id":3632649,"new_policy":"At Khan Academy, we're a small, non-profit team trying to give a free, world-class education to anyone, anywhere.\n\nWe're committed to maintaining a safe website where student data is appropriately protected. If you've discovered a security issue in Khan Academy, we'd love to work with you. Please let us know about it and we'll fix the issue as soon as we can.\n\n# Scope\n- We're interested in technical vulnerabilities in any *.khanacademy.org website or in our official mobile apps ([iOS](https://itunes.apple.com/us/app/khan-academy/id469863705?mt=8), [Google Play](https://play.google.com/store/apps/details?id=org.khanacademy.android\u0026hl=en_US))\n- Our [computer programming section](https://www.khanacademy.org/computing/cs) intentionally allows the execution of user-provided JavaScript, but execution is sandboxed to an iframe on a different domain (kasandbox.org); running arbitrary JS within the iframe is not considered a vulnerability unless it leads to another attack\n- Parts of our website and infrastructure are [open source on GitHub](https://github.com/Khan)\n- If you need a Khan Academy account (or two) to test your vulnerability, create a new one; don't use another user's account\n\n# Notes \u0026 Exclusions\n- Some parts of our site are hosted by third parties on subdomains (including [life](http://life.khanacademy.org/) and [crowdin](http://crowdin.khanacademy.org/)); we're less interested in these vulnerabilities unless they lead to a vulnerability in the main site\n- Several of our internal services, including our [mobile build server](https://mobile-ci.khanacademy.org/), deliberately have some public parts.  This is intentional and we don't consider it a vulnerability unless you can use it to compromise the main site.\n- We generally only consider spoofing an email that appears to be sent from khanacademy.org as an issue if you can point to specific settings (e.g. SPF records) that aren't configured correctly to prevent it; other reports are generally too client-dependent and difficult to reproduce to be actionable.\n- Issues that only apply to [browsers we do not support](https://khanacademy.zendesk.com/hc/en-us/articles/204795660-Supported-browsers) are generally lower-priority although we'll still accept more serious issues.\n- Our Turkish language advocates run a site at http://www.khanacademy.org.tr/ -- this site is not officially run via Khan Academy and we are unable to resolve any issues with this site directly. If you report an issue with this site, we will attempt to forward the information appropriately and mark your report as informative.\n- We are not currently planning to implement DNSSEC. In particular, this won't affect the majority of our users with clients that are not using DNSSEC, see for instance: https://bugs.chromium.org/p/chromium/issues/detail?id=50874#c22\n- Please note that the `ka_session` is not actually the session cookie we use for authentication; it's primarily for analytics purposes and is intentionally not marked as Secure.\n- Many of our endpoints have very lenient or absent rate-limiting. This is because Khan Academy is used in many schools that are configured to have hundreds or thousands of computers behind one IP address. That means routes such as `/forgotpw` have a very lenient rate limit, though it does exist. We take other steps to detect and mitigate from brute force attacks.\n\nTo be considered a valid vulnerability, you must be able to demonstrate a way to negatively impact other users. Methods of changing your own experience - including granting yourself energy points - are not considered security issues.\n\nNon-security-related issues can be reported to our public bug tracker, Zendesk: https://khanacademy.zendesk.com.\n\n# Thanks\nWe believe in recognizing the work of others. If your work helps us improve the security of our website, we'd be happy to acknowledge your work in our [Hall of Fame](https://hackerone.com/khanacademy/thanks) and to make you the proud owner of a [Friendly Hacker](https://www.khanacademy.org/badges/friendly-hacker) badge on Khan Academy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-10T20:35:19.909Z"},{"id":3624401,"new_policy":"At Khan Academy, we're a small, non-profit team trying to give a free, world-class education to anyone, anywhere.\n\nWe're committed to maintaining a safe website where student data is appropriately protected. If you've discovered a security issue in Khan Academy, we'd love to work with you. Please let us know about it and we'll fix the issue as soon as we can.\n\n# Scope\n- We're interested in technical vulnerabilities in any *.khanacademy.org website or in our official mobile apps ([iOS](https://itunes.apple.com/us/app/khan-academy/id469863705?mt=8), [Windows 8](http://apps.microsoft.com/windows/en-us/app/khan-academy/d23cc2b2-c105-4db3-9946-e44bacc56f7b))\n- Our [API](https://github.com/Khan/khan-api/wiki/Khan-Academy-API) includes an [OAuth flow](https://github.com/Khan/khan-api/wiki/Khan-Academy-API-Authentication) for authorizing access to a Khan Academy account\n- Our [computer programming section](https://www.khanacademy.org/computing/cs) intentionally allows the execution of user-provided JavaScript, but execution is sandboxed to an iframe on a different domain (kasandbox.org); running arbitrary JS within the iframe is not considered a vulnerability unless it leads to another attack\n- Parts of our website and infrastructure are [open source on GitHub](https://github.com/Khan)\n- If you need a Khan Academy account (or two) to test your vulnerability, create a new one; don't use another user's account\n\n# Notes \u0026 Exclusions\n- Some parts of our site are hosted by third parties on subdomains (including [life](http://life.khanacademy.org/) and [crowdin](http://crowdin.khanacademy.org/)); we're less interested in these vulnerabilities unless they lead to a vulnerability in the main site\n- Several of our internal services, including our [mobile build server](https://mobile-ci.khanacademy.org/), deliberately have some public parts.  This is intentional and we don't consider it a vulnerability unless you can use it to compromise the main site.\n- We generally only consider spoofing an email that appears to be sent from khanacademy.org as an issue if you can point to specific settings (e.g. SPF records) that aren't configured correctly to prevent it; other reports are generally too client-dependent and difficult to reproduce to be actionable.\n- Issues that only apply to [browsers we do not support](https://khanacademy.zendesk.com/hc/en-us/articles/204795660-Supported-browsers) are generally lower-priority although we'll still accept more serious issues.\n- Our Turkish language advocates run a site at http://www.khanacademy.org.tr/ -- this site is not officially run via Khan Academy and we are unable to resolve any issues with this site directly. If you report an issue with this site, we will attempt to forward the information appropriately and mark your report as informative.\n- We are not currently planning to implement DNSSEC. In particular, this won't affect the majority of our users with clients that are not using DNSSEC, see for instance: https://bugs.chromium.org/p/chromium/issues/detail?id=50874#c22\n- Please note that the `ka_session` is not actually the session cookie we use for authentication; it's primarily for analytics purposes and is intentionally not marked as Secure.\n- Many of our endpoints have very lenient or absent rate-limiting. This is because Khan Academy is used in many schools that are configured to have hundreds or thousands of computers behind one IP address. That means routes such as `/forgotpw` have a very lenient rate limit, though it does exist. We take other steps to detect and mitigate from brute force attacks.\n\nTo be considered a valid vulnerability, you must be able to demonstrate a way to negatively impact other users. Methods of changing your own experience - including granting yourself energy points - are not considered security issues.\n\nNon-security-related issues can be reported to our public bug tracker, Zendesk: https://khanacademy.zendesk.com.\n\n# Thanks\nWe believe in recognizing the work of others. If your work helps us improve the security of our website, we'd be happy to acknowledge your work in our [Hall of Fame](https://hackerone.com/khanacademy/thanks) and to make you the proud owner of a [Friendly Hacker](https://www.khanacademy.org/badges/friendly-hacker) badge on Khan Academy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-11-22T22:46:34.914Z"},{"id":3617529,"new_policy":"At Khan Academy, we're a small, non-profit team trying to give a free, world-class education to anyone, anywhere.\n\nWe're committed to maintaining a safe website where student data is appropriately protected. If you've discovered a security issue in Khan Academy, we'd love to work with you. Please let us know about it and we'll fix the issue as soon as we can.\n\n# Scope\n- We're interested in technical vulnerabilities in any *.khanacademy.org website or in our official mobile apps ([iOS](https://itunes.apple.com/us/app/khan-academy/id469863705?mt=8), [Windows 8](http://apps.microsoft.com/windows/en-us/app/khan-academy/d23cc2b2-c105-4db3-9946-e44bacc56f7b))\n- Our [API](https://github.com/Khan/khan-api/wiki/Khan-Academy-API) includes an [OAuth flow](https://github.com/Khan/khan-api/wiki/Khan-Academy-API-Authentication) for authorizing access to a Khan Academy account\n- Our [computer programming section](https://www.khanacademy.org/computing/cs) intentionally allows the execution of user-provided JavaScript, but execution is sandboxed to an iframe on a different domain (kasandbox.org); running arbitrary JS within the iframe is not considered a vulnerability unless it leads to another attack\n- Parts of our website and infrastructure are [open source on GitHub](https://github.com/Khan)\n- If you need a Khan Academy account (or two) to test your vulnerability, create a new one; don't use another user's account\n\n# Notes \u0026 Exclusions\n- Some parts of our site are hosted by third parties on subdomains (including [life](http://life.khanacademy.org/) and [crowdin](http://crowdin.khanacademy.org/)); we're less interested in these vulnerabilities unless they lead to a vulnerability in the main site\n- Several of our internal services, including our [mobile build server](https://mobile-ci.khanacademy.org/), deliberately have some public parts.  This is intentional and we don't consider it a vulnerability unless you can use it to compromise the main site.\n- We generally only consider spoofing an email that appears to be sent from khanacademy.org as an issue if you can point to specific settings (e.g. SPF records) that aren't configured correctly to prevent it; other reports are generally too client-dependent and difficult to reproduce to be actionable.\n- Issues that only apply to [browsers we do not support](https://khanacademy.zendesk.com/hc/en-us/articles/204795660-Supported-browsers) are generally lower-priority although we'll still accept more serious issues.\n- Our Turkish language advocates run a site at http://www.khanacademy.org.tr/ -- this site is not officially run via Khan Academy and we are unable to resolve any issues with this site directly. If you report an issue with this site, we will attempt to forward the information appropriately and mark your report as informative.\n- We are not currently planning to implement DNSSEC. In particular, this won't affect the majority of our users with clients that are not using DNSSEC, see for instance: https://bugs.chromium.org/p/chromium/issues/detail?id=50874#c22\n- Please note that the `ka_session` is not actually the session cookie we use for authentication; it's primarily for analytics purposes and is intentionally not marked as Secure.\n\nTo be considered a valid vulnerability, you must be able to demonstrate a way to negatively impact other users. Methods of changing your own experience - including granting yourself energy points - are not considered security issues.\n\nNon-security-related issues can be reported to our public bug tracker, Zendesk: https://khanacademy.zendesk.com.\n\n# Thanks\nWe believe in recognizing the work of others. If your work helps us improve the security of our website, we'd be happy to acknowledge your work in our [Hall of Fame](https://hackerone.com/khanacademy/thanks) and to make you the proud owner of a [Friendly Hacker](https://www.khanacademy.org/badges/friendly-hacker) badge on Khan Academy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-08-29T16:19:34.350Z"},{"id":3615481,"new_policy":"At Khan Academy, we're a small, non-profit team trying to give a free, world-class education to anyone, anywhere.\n\nWe're committed to maintaining a safe website where student data is appropriately protected. If you've discovered a security issue in Khan Academy, we'd love to work with you. Please let us know about it and we'll fix the issue as soon as we can.\n\n# Scope\n- We're interested in technical vulnerabilities in any *.khanacademy.org website or in our official mobile apps ([iOS](https://itunes.apple.com/us/app/khan-academy/id469863705?mt=8), [Windows 8](http://apps.microsoft.com/windows/en-us/app/khan-academy/d23cc2b2-c105-4db3-9946-e44bacc56f7b))\n- Our [API](https://github.com/Khan/khan-api/wiki/Khan-Academy-API) includes an [OAuth flow](https://github.com/Khan/khan-api/wiki/Khan-Academy-API-Authentication) for authorizing access to a Khan Academy account\n- Our [computer programming section](https://www.khanacademy.org/computing/cs) intentionally allows the execution of user-provided JavaScript, but execution is sandboxed to an iframe on a different domain (kasandbox.org); running arbitrary JS within the iframe is not considered a vulnerability unless it leads to another attack\n- Parts of our website and infrastructure are [open source on GitHub](https://github.com/Khan)\n- If you need a Khan Academy account (or two) to test your vulnerability, create a new one; don't use another user's account\n- Please note that the `ka_session` is not actually the session cookie we use for authentication; it's primarily for analytics purposes and is intentionally not marked as Secure.\n\n# Notes \u0026 Exclusions\n- Some parts of our site are hosted by third parties on subdomains (including [life](http://life.khanacademy.org/) and [crowdin](http://crowdin.khanacademy.org/)); we're less interested in these vulnerabilities unless they lead to a vulnerability in the main site\n- Several of our internal services, including our [mobile build server](https://mobile-ci.khanacademy.org/), deliberately have some public parts.  This is intentional and we don't consider it a vulnerability unless you can use it to compromise the main site.\n- We generally only consider spoofing an email that appears to be sent from khanacademy.org as an issue if you can point to specific settings (e.g. SPF records) that aren't configured correctly to prevent it; other reports are generally too client-dependent and difficult to reproduce to be actionable.\n- Issues that only apply to [browsers we do not support](https://khanacademy.zendesk.com/hc/en-us/articles/204795660-Supported-browsers) are generally lower-priority although we'll still accept more serious issues.\n- Our Turkish language advocates run a site at http://www.khanacademy.org.tr/ -- this site is not officially run via Khan Academy and we are unable to resolve any issues with this site directly. If you report an issue with this site, we will attempt to forward the information appropriately and mark your report as informative.\n\nTo be considered a valid vulnerability, you must be able to demonstrate a way to negatively impact other users. Methods of changing your own experience - including granting yourself energy points - are not considered security issues.\n\nNon-security-related issues can be reported to our public bug tracker, Zendesk: https://khanacademy.zendesk.com.\n\n# Thanks\nWe believe in recognizing the work of others. If your work helps us improve the security of our website, we'd be happy to acknowledge your work in our [Hall of Fame](https://hackerone.com/khanacademy/thanks) and to make you the proud owner of a [Friendly Hacker](https://www.khanacademy.org/badges/friendly-hacker) badge on Khan Academy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-08-02T22:18:35.954Z"},{"id":3590996,"new_policy":"At Khan Academy, we're a small, non-profit team trying to give a free, world-class education to anyone, anywhere.\n\nWe're committed to maintaining a safe website where student data is appropriately protected. If you've discovered a security issue in Khan Academy, we'd love to work with you. Please let us know about it and we'll fix the issue as soon as we can.\n\n# Scope\n- We're interested in technical vulnerabilities in any *.khanacademy.org website or in our official mobile apps ([iOS](https://itunes.apple.com/us/app/khan-academy/id469863705?mt=8), [Windows 8](http://apps.microsoft.com/windows/en-us/app/khan-academy/d23cc2b2-c105-4db3-9946-e44bacc56f7b))\n- Our [API](https://github.com/Khan/khan-api/wiki/Khan-Academy-API) includes an [OAuth flow](https://github.com/Khan/khan-api/wiki/Khan-Academy-API-Authentication) for authorizing access to a Khan Academy account\n- Our [computer programming section](https://www.khanacademy.org/computing/cs) intentionally allows the execution of user-provided JavaScript, but execution is sandboxed to an iframe on a different domain (kasandbox.org); running arbitrary JS within the iframe is not considered a vulnerability unless it leads to another attack\n- Parts of our website and infrastructure are [open source on GitHub](https://github.com/Khan)\n- If you need a Khan Academy account (or two) to test your vulnerability, create a new one; don't use another user's account\n\n# Notes \u0026 Exclusions\n- Some parts of our site are hosted by third parties on subdomains (including [life](http://life.khanacademy.org/) and [crowdin](http://crowdin.khanacademy.org/)); we're less interested in these vulnerabilities unless they lead to a vulnerability in the main site\n- Several of our internal services, including our [mobile build server](https://mobile-ci.khanacademy.org/), deliberately have some public parts.  This is intentional and we don't consider it a vulnerability unless you can use it to compromise the main site.\n- We generally only consider spoofing an email that appears to be sent from khanacademy.org as an issue if you can point to specific settings (e.g. SPF records) that aren't configured correctly to prevent it; other reports are generally too client-dependent and difficult to reproduce to be actionable.\n- Issues that only apply to [browsers we do not support](https://khanacademy.zendesk.com/hc/en-us/articles/204795660-Supported-browsers) are generally lower-priority although we'll still accept more serious issues.\n- Our Turkish language advocates run a site at http://www.khanacademy.org.tr/ -- this site is not officially run via Khan Academy and we are unable to resolve any issues with this site directly. If you report an issue with this site, we will attempt to forward the information appropriately and mark your report as informative.\n\nTo be considered a valid vulnerability, you must be able to demonstrate a way to negatively impact other users. Methods of changing your own experience - including granting yourself energy points - are not considered security issues.\n\nNon-security-related issues can be reported to our public bug tracker, Zendesk: https://khanacademy.zendesk.com.\n\n# Thanks\nWe believe in recognizing the work of others. If your work helps us improve the security of our website, we'd be happy to acknowledge your work in our [Hall of Fame](https://hackerone.com/khanacademy/thanks) and to make you the proud owner of a [Friendly Hacker](https://www.khanacademy.org/badges/friendly-hacker) badge on Khan Academy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-10-09T18:03:51.423Z"},{"id":3571780,"new_policy":"At Khan Academy, we're a small, non-profit team trying to give a free, world-class education to anyone, anywhere.\n\nWe're committed to maintaining a safe website where student data is appropriately protected. If you've discovered a security issue in Khan Academy, we'd love to work with you. Please let us know about it and we'll fix the issue as soon as we can.\n\n# Scope\n- We're interested in technical vulnerabilities in any *.khanacademy.org website or in our official mobile apps ([iOS](https://itunes.apple.com/us/app/khan-academy/id469863705?mt=8), [Windows 8](http://apps.microsoft.com/windows/en-us/app/khan-academy/d23cc2b2-c105-4db3-9946-e44bacc56f7b))\n- Our [API](https://github.com/Khan/khan-api/wiki/Khan-Academy-API) includes an [OAuth flow](https://github.com/Khan/khan-api/wiki/Khan-Academy-API-Authentication) for authorizing access to a Khan Academy account\n- Our [computer programming section](https://www.khanacademy.org/computing/cs) intentionally allows the execution of user-provided JavaScript, but execution is sandboxed to an iframe on a different domain (kasandbox.org); running arbitrary JS within the iframe is not considered a vulnerability unless it leads to another attack\n- Parts of our website and infrastructure are [open source on GitHub](https://github.com/Khan)\n- If you need a Khan Academy account (or two) to test your vulnerability, create a new one; don't use another user's account\n\n# Notes \u0026 Exclusions\n- Some parts of our site are hosted by third parties on subdomains (including [life](http://life.khanacademy.org/) and [crowdin](http://crowdin.khanacademy.org/)); we're less interested in these vulnerabilities unless they lead to a vulnerability in the main site\n- Several of our internal services, including our [mobile build server](https://mobile-ci.khanacademy.org/), deliberately have some public parts.  This is intentional and we don't consider it a vulnerability unless you can use it to compromise the main site.\n- We generally only consider spoofing an email that appears to be sent from khanacademy.org as an issue if you can point to specific settings (e.g. SPF records) that aren't configured correctly to prevent it; other reports are generally too client-dependent and difficult to reproduce to be actionable.\n- Issues that only apply to [browsers we do not support](https://khanacademy.zendesk.com/hc/en-us/articles/204795660-Supported-browsers) are generally lower-priority although we'll still accept more serious issues.\n\nTo be considered a valid vulnerability, you must be able to demonstrate a way to negatively impact other users. Methods of changing your own experience - including granting yourself energy points - are not considered security issues.\n\nNon-security-related issues can be reported to our public bug tracker, Zendesk: https://khanacademy.zendesk.com.\n\n# Thanks\nWe believe in recognizing the work of others. If your work helps us improve the security of our website, we'd be happy to acknowledge your work in our [Hall of Fame](https://hackerone.com/khanacademy/thanks) and to make you the proud owner of a [Friendly Hacker](https://www.khanacademy.org/badges/friendly-hacker) badge on Khan Academy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-03-21T22:23:57.987Z"},{"id":3546249,"new_policy":"At Khan Academy, we're a small, non-profit team trying to give a free, world-class education to anyone, anywhere.\n\nWe're committed to maintaining a safe website where student data is appropriately protected. If you've discovered a security issue in Khan Academy, we'd love to work with you. Please let us know about it and we'll fix the issue as soon as we can.\n\n# Scope\n- We're interested in technical vulnerabilities in any *.khanacademy.org website or in our official mobile apps ([iOS](https://itunes.apple.com/us/app/khan-academy/id469863705?mt=8), [Windows 8](http://apps.microsoft.com/windows/en-us/app/khan-academy/d23cc2b2-c105-4db3-9946-e44bacc56f7b))\n- Our [API](https://github.com/Khan/khan-api/wiki/Khan-Academy-API) includes an [OAuth flow](https://github.com/Khan/khan-api/wiki/Khan-Academy-API-Authentication) for authorizing access to a Khan Academy account\n- Our [computer programming section](https://www.khanacademy.org/computing/cs) intentionally allows the execution of user-provided JavaScript, but execution is sandboxed to an iframe on a different domain (kasandbox.org); running arbitrary JS within the iframe is not considered a vulnerability unless it leads to another attack\n- Parts of our website and infrastructure are [open source on GitHub](https://github.com/Khan)\n- If you need a Khan Academy account (or two) to test your vulnerability, create a new one; don't use another user's account\n\n# Notes \u0026 Exclusions\n- Some parts of our site are hosted by third parties on subdomains (including [shop](http://shop.khanacademy.org/), [life](http://life.khanacademy.org/), [crowdin](http://crowdin.khanacademy.org/), [emails] (http://emails.khanacademy.org/)); we're less interested in these vulnerabilities unless they lead to a vulnerability in the main site\n- Several of our internal services, including our [mobile build server](https://mobile-ci.khanacademy.org/), and [sandcastle](http://sandcastle.kasandbox.org/) deliberately have some public parts.  This is deliberate and we don't consider it a vulnerability unless you can use it to compromise the main site.\n- We generally only consider spoofing an email that appears to be sent from khanacademy.org as an issue if you can point to specific settings (e.g. SPF records) that aren't configured correctly to prevent it; other reports are generally too client-dependent and difficult to reproduce to be actionable.\n- Issues that only apply to [browsers we do not support](https://khanacademy.zendesk.com/hc/en-us/articles/204795660-Supported-browsers) are generally lower-priority although we'll still accept more serious issues.\n\nTo be considered a valid vulnerability, you must be able to demonstrate a way to negatively impact other users. Methods of changing your own experience - including granting yourself energy points - are not considered security issues.\n\nNon-security-related issues can be reported to our public bug tracker, Zendesk: https://khanacademy.zendesk.com.\n\n# Thanks\nWe believe in recognizing the work of others. If your work helps us improve the security of our website, we'd be happy to acknowledge your work in our [Hall of Fame](https://hackerone.com/khanacademy/thanks) and to make you the proud owner of a [Friendly Hacker](https://www.khanacademy.org/badges/friendly-hacker) badge on Khan Academy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-02-06T17:47:12.480Z"},{"id":3546248,"new_policy":"At Khan Academy, we're a small, non-profit team trying to give a free, world-class education to anyone, anywhere.\n\nWe're committed to maintaining a safe website where student data is appropriately protected. If you've discovered a security issue in Khan Academy, we'd love to work with you. Please let us know about it and we'll fix the issue as soon as we can.\n\n# Scope\n- We're interested in technical vulnerabilities in any *.khanacademy.org website or in our official mobile apps ([iOS](https://itunes.apple.com/us/app/khan-academy/id469863705?mt=8), [Windows 8](http://apps.microsoft.com/windows/en-us/app/khan-academy/d23cc2b2-c105-4db3-9946-e44bacc56f7b))\n- Our [API](https://github.com/Khan/khan-api/wiki/Khan-Academy-API) includes an [OAuth flow](https://github.com/Khan/khan-api/wiki/Khan-Academy-API-Authentication) for authorizing access to a Khan Academy account\n- Our [computer programming section](https://www.khanacademy.org/computing/cs) intentionally allows the execution of user-provided JavaScript, but execution is sandboxed to an iframe on a different domain (kasandbox.org); running arbitrary JS within the iframe is not considered a vulnerability unless it leads to another attack\n- Parts of our website and infrastructure are [open source on GitHub](https://github.com/Khan)\n- If you need a Khan Academy account (or two) to test your vulnerability, create a new one; don't use another user's account\n\n# Notes \u0026 Exclusions\n- Some parts of our site are hosted by third parties on subdomains (including [shop](http://shop.khanacademy.org/), [life](http://life.khanacademy.org/), [crowdin](http://crowdin.khanacademy.org/), [emails] (http://emails.khanacademy.org/)); we're less interested in these vulnerabilities unless they lead to a vulnerability in the main site\n- Several of our internal services, including our [mobile build server](https://mobile-ci.khanacademy.org/), and [sandcastle](http://sandcastle.kasandbox.org/) deliberately have some public parts.  This is deliberate and we don't consider it a vulnerability unless you can use it to compromise the main site.\n- We generally only consider spoofing an email that appears to be sent from khanacademy.org as an issue if you can point to specific settings (e.g. SPF records) that aren't configured correctly to prevent it; other reports are generally too client-dependent and difficult to reproduce to be actionable.\n- Issues that only apply to [browsers we don't support](https://khanacademy.zendesk.com/hc/en-us/articles/204795660-Supported-browsers) are generally lower-priority although we'll still accept more serious issues.\n\nTo be considered a valid vulnerability, you must be able to demonstrate a way to negatively impact other users. Methods of changing your own experience - including granting yourself energy points - are not considered security issues.\n\nNon-security-related issues can be reported to our public bug tracker, Zendesk: https://khanacademy.zendesk.com.\n\n# Thanks\nWe believe in recognizing the work of others. If your work helps us improve the security of our website, we'd be happy to acknowledge your work in our [Hall of Fame](https://hackerone.com/khanacademy/thanks) and to make you the proud owner of a [Friendly Hacker](https://www.khanacademy.org/badges/friendly-hacker) badge on Khan Academy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-02-06T17:47:03.348Z"},{"id":3546247,"new_policy":"At Khan Academy, we're a small, non-profit team trying to give a free, world-class education to anyone, anywhere.\n\nWe're committed to maintaining a safe website where student data is appropriately protected. If you've discovered a security issue in Khan Academy, we'd love to work with you. Please let us know about it and we'll fix the issue as soon as we can.\n\n# Scope\n- We're interested in technical vulnerabilities in any *.khanacademy.org website or in our official mobile apps ([iOS](https://itunes.apple.com/us/app/khan-academy/id469863705?mt=8), [Windows 8](http://apps.microsoft.com/windows/en-us/app/khan-academy/d23cc2b2-c105-4db3-9946-e44bacc56f7b))\n- Our [API](https://github.com/Khan/khan-api/wiki/Khan-Academy-API) includes an [OAuth flow](https://github.com/Khan/khan-api/wiki/Khan-Academy-API-Authentication) for authorizing access to a Khan Academy account\n- Our [computer programming section](https://www.khanacademy.org/computing/cs) intentionally allows the execution of user-provided JavaScript, but execution is sandboxed to an iframe on a different domain (kasandbox.org); running arbitrary JS within the iframe is not considered a vulnerability unless it leads to another attack\n- Parts of our website and infrastructure are [open source on GitHub](https://github.com/Khan)\n- If you need a Khan Academy account (or two) to test your vulnerability, create a new one; don't use another user's account\n\n# Notes \u0026 Exclusions\n- Some parts of our site are hosted by third parties on subdomains (including [shop](http://shop.khanacademy.org/), [life](http://life.khanacademy.org/), [crowdin](http://crowdin.khanacademy.org/), [emails] (http://emails.khanacademy.org/)); we're less interested in these vulnerabilities unless they lead to a vulnerability in the main site\n- Several of our internal services, including our [mobile build server](https://mobile-ci.khanacademy.org/), and [sandcastle](http://sandcastle.kasandbox.org/) deliberately have some public parts.  This is deliberate and we don't consider it a vulnerability unless you can use it to compromise the main site.\n- We generally only consider spoofing an email that appears to be sent from khanacademy.org as an issue if you can point to specific settings (e.g. SPF records) that aren't configured correctly to prevent it; other reports are generally too client-dependent and difficult to reproduce to be actionable.\n- Issues that only apply to [browsers we don't support](https://khanacademy.zendesk.com/hc/en-us/articles/204795660-Supported-browsers) are generally lower-priority although we'll still accept more serious issues.\n\nTo be considered a valid vulnerability, you must be able to demonstrate a way to negatively impact other users. Methods of changing your own experience - including granting yourself energy points - are not considered security issues.\n\nNon-security-related issues can be reported to our public bug tracker, Zendesk: https://khanacademy.zendesk.com.\n\n# Thanks\nWe believe in recognizing the work of others. If your work helps us improve the security of our website, we'd be happy to acknowledge your work in our [Hall of Fame](https://hackerone.com/khanacademy/thanks) and to make you the proud owner of a [Friendly Hacker](https://www.khanacademy.org/badges/friendly-hacker) badge on Khan Academy. [a'b](https://www.khanacademy.org)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-02-06T17:46:52.546Z"},{"id":3546245,"new_policy":"At Khan Academy, we're a small, non-profit team trying to give a free, world-class education to anyone, anywhere.\n\nWe're committed to maintaining a safe website where student data is appropriately protected. If you've discovered a security issue in Khan Academy, we'd love to work with you. Please let us know about it and we'll fix the issue as soon as we can.\n\n# Scope\n- We're interested in technical vulnerabilities in any *.khanacademy.org website or in our official mobile apps ([iOS](https://itunes.apple.com/us/app/khan-academy/id469863705?mt=8), [Windows 8](http://apps.microsoft.com/windows/en-us/app/khan-academy/d23cc2b2-c105-4db3-9946-e44bacc56f7b))\n- Our [API](https://github.com/Khan/khan-api/wiki/Khan-Academy-API) includes an [OAuth flow](https://github.com/Khan/khan-api/wiki/Khan-Academy-API-Authentication) for authorizing access to a Khan Academy account\n- Our [computer programming section](https://www.khanacademy.org/computing/cs) intentionally allows the execution of user-provided JavaScript, but execution is sandboxed to an iframe on a different domain (kasandbox.org); running arbitrary JS within the iframe is not considered a vulnerability unless it leads to another attack\n- Parts of our website and infrastructure are [open source on GitHub](https://github.com/Khan)\n- If you need a Khan Academy account (or two) to test your vulnerability, create a new one; don't use another user's account\n\n# Notes \u0026 Exclusions\n- Some parts of our site are hosted by third parties on subdomains (including [shop](http://shop.khanacademy.org/), [life](http://life.khanacademy.org/), [crowdin](http://crowdin.khanacademy.org/), [emails] (http://emails.khanacademy.org/)); we're less interested in these vulnerabilities unless they lead to a vulnerability in the main site\n- Several of our internal services, including our [mobile build server](https://mobile-ci.khanacademy.org/), and [sandcastle](http://sandcastle.kasandbox.org/) deliberately have some public parts.  This is deliberate and we don't consider it a vulnerability unless you can use it to compromise the main site.\n- We generally only consider spoofing an email that appears to be sent from khanacademy.org as an issue if you can point to specific settings (e.g. SPF records) that aren't configured correctly to prevent it; other reports are generally too client-dependent and difficult to reproduce to be actionable.\n- Issues that only apply to [browsers we don't support](https://khanacademy.zendesk.com/hc/en-us/articles/204795660-Supported-browsers) are generally lower-priority although we'll still accept more serious issues.\n\nTo be considered a valid vulnerability, you must be able to demonstrate a way to negatively impact other users. Methods of changing your own experience - including granting yourself energy points - are not considered security issues.\n\nNon-security-related issues can be reported to our public bug tracker, Zendesk: https://khanacademy.zendesk.com.\n\n# Thanks\nWe believe in recognizing the work of others. If your work helps us improve the security of our website, we'd be happy to acknowledge your work in our [Hall of Fame](https://hackerone.com/khanacademy/thanks) and to make you the proud owner of a [Friendly Hacker](https://www.khanacademy.org/badges/friendly-hacker) badge on Khan Academy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-02-06T17:41:43.028Z"},{"id":3543632,"new_policy":"At Khan Academy, we're a small, non-profit team trying to give a free, world-class education to anyone, anywhere.\n\nWe're committed to maintaining a safe website where student data is appropriately protected. If you've discovered a security issue in Khan Academy, we'd love to work with you. Please let us know about it and we'll fix the issue as soon as we can.\n\n# Scope\n- We're interested in technical vulnerabilities in any *.khanacademy.org website or in our official mobile apps ([iOS](https://itunes.apple.com/us/app/khan-academy/id469863705?mt=8), [Windows 8](http://apps.microsoft.com/windows/en-us/app/khan-academy/d23cc2b2-c105-4db3-9946-e44bacc56f7b))\n- Our [API](https://github.com/Khan/khan-api/wiki/Khan-Academy-API) includes an [OAuth flow](https://github.com/Khan/khan-api/wiki/Khan-Academy-API-Authentication) for authorizing access to a Khan Academy account\n- Our [computer programming section](https://www.khanacademy.org/computing/cs) intentionally allows the execution of user-provided JavaScript, but execution is sandboxed to an iframe on a different domain (kasandbox.org); running arbitrary JS within the iframe is not considered a vulnerability unless it leads to another attack\n- Parts of our website and infrastructure are [open source on GitHub](https://github.com/Khan)\n- Some parts of our site are hosted by third parties on subdomains (including [shop](http://shop.khanacademy.org/), [life](http://life.khanacademy.org/), [crowdin](http://crowdin.khanacademy.org/), [emails] (http://emails.khanacademy.org/)); we're less interested in these vulnerabilities unless they lead to a vulnerability in the main site\n- If you need a Khan Academy account (or two) to test your vulnerability, create a new one; don't use another user's account\n- Several of our internal services, including our [mobile build server](https://mobile-ci.khanacademy.org/), and [sandcastle](http://sandcastle.kasandbox.org/) deliberately have some public parts.  This is deliberate and we don't consider it a vulnerability unless you can use it to compromise the main site.\n\nTo be considered a valid vulnerability, you must be able to demonstrate a way to negatively impact other users. Methods of changing your own experience - including granting yourself energy points - are not considered security issues.\n\nNon-security-related issues can be reported to our public bug tracker, Zendesk: https://khanacademy.zendesk.com.\n\n# Thanks\nWe believe in recognizing the work of others. If your work helps us improve the security of our website, we'd be happy to acknowledge your work in our [Hall of Fame](https://hackerone.com/khanacademy/thanks) and to make you the proud owner of a [Friendly Hacker](https://www.khanacademy.org/badges/friendly-hacker) badge on Khan Academy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-12-22T01:28:08.195Z"},{"id":3543631,"new_policy":"At Khan Academy, we're a small, non-profit team trying to give a free, world-class education to anyone, anywhere.\n\nWe're committed to maintaining a safe website where student data is appropriately protected. If you've discovered a security issue in Khan Academy, we'd love to work with you. Please let us know about it and we'll fix the issue as soon as we can.\n\n# Scope\n- We're interested in technical vulnerabilities in any *.khanacademy.org website or in our official mobile apps ([iOS](https://itunes.apple.com/us/app/khan-academy/id469863705?mt=8), [Windows 8](http://apps.microsoft.com/windows/en-us/app/khan-academy/d23cc2b2-c105-4db3-9946-e44bacc56f7b))\n- Our [API](https://github.com/Khan/khan-api/wiki/Khan-Academy-API) includes an [OAuth flow](https://github.com/Khan/khan-api/wiki/Khan-Academy-API-Authentication) for authorizing access to a Khan Academy account\n- Our [computer programming section](https://www.khanacademy.org/computing/cs) intentionally allows the execution of user-provided JavaScript, but execution is sandboxed to an iframe on a different domain (kasandbox.org); running arbitrary JS within the iframe is not considered a vulnerability unless it leads to another attack\n- Parts of our website and infrastructure are [open source on GitHub](https://github.com/Khan)\n- Some parts of our site are hosted by third parties on subdomains (including [shop](http://shop.khanacademy.org/), [life](http://life.khanacademy.org/), [crowdin](http://crowdin.khanacademy.org/), [emails] (http://emails.khanacademy.org/)); we're less interested in these vulnerabilities unless they lead to a vulnerability in the main site\n- If you need a Khan Academy account (or two) to test your vulnerability, create a new one; don't use another user's account\n-  We have a public Jenkins [instance](https://mobile-ci.khanacademy.org/) for mobile continuous integration. We don't consider this a vulnerability.\n\nTo be considered a valid vulnerability, you must be able to demonstrate a way to negatively impact other users. Methods of changing your own experience - including granting yourself energy points - are not considered security issues.\n\nNon-security-related issues can be reported to our public bug tracker, Zendesk: https://khanacademy.zendesk.com.\n\n# Thanks\nWe believe in recognizing the work of others. If your work helps us improve the security of our website, we'd be happy to acknowledge your work in our [Hall of Fame](https://hackerone.com/khanacademy/thanks) and to make you the proud owner of a [Friendly Hacker](https://www.khanacademy.org/badges/friendly-hacker) badge on Khan Academy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-12-22T01:24:24.847Z"},{"id":3483121,"new_policy":"At Khan Academy, we're a small, non-profit team trying to give a free, world-class education to anyone, anywhere.\n\nWe're committed to maintaining a safe website where student data is appropriately protected. If you've discovered a security issue in Khan Academy, we'd love to work with you. Please let us know about it and we'll fix the issue as soon as we can.\n\n# Scope\n- We're interested in technical vulnerabilities in any *.khanacademy.org website or in our official mobile apps ([iOS](https://itunes.apple.com/us/app/khan-academy/id469863705?mt=8), [Windows 8](http://apps.microsoft.com/windows/en-us/app/khan-academy/d23cc2b2-c105-4db3-9946-e44bacc56f7b))\n- Our [API](https://github.com/Khan/khan-api/wiki/Khan-Academy-API) includes an [OAuth flow](https://github.com/Khan/khan-api/wiki/Khan-Academy-API-Authentication) for authorizing access to a Khan Academy account\n- Our [computer programming section](https://www.khanacademy.org/computing/cs) intentionally allows the execution of user-provided JavaScript, but execution is sandboxed to an iframe on a different domain (kasandbox.org); running arbitrary JS within the iframe is not considered a vulnerability unless it leads to another attack\n- Parts of our website and infrastructure are [open source on GitHub](https://github.com/Khan)\n- Some parts of our site are hosted by third parties on subdomains (including [shop](http://shop.khanacademy.org/), [life](http://life.khanacademy.org/), [crowdin](http://crowdin.khanacademy.org/), [emails] (http://emails.khanacademy.org/)); we're less interested in these vulnerabilities unless they lead to a vulnerability in the main site\n- If you need a Khan Academy account (or two) to test your vulnerability, create a new one; don't use another user's account\n\nTo be considered a valid vulnerability, you must be able to demonstrate a way to negatively impact other users. Methods of changing your own experience - including granting yourself energy points - are not considered security issues.\n\nNon-security-related issues can be reported to our public bug tracker, Zendesk: https://khanacademy.zendesk.com.\n\n# Thanks\nWe believe in recognizing the work of others. If your work helps us improve the security of our website, we'd be happy to acknowledge your work in our [Hall of Fame](https://hackerone.com/khanacademy/thanks) and to make you the proud owner of a [Friendly Hacker](https://www.khanacademy.org/badges/friendly-hacker) badge on Khan Academy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-08-23T20:06:31.352Z"},{"id":2158396,"new_policy":"At Khan Academy, we're a small, non-profit team trying to give a free, world-class education to anyone, anywhere.\n\nWe're committed to maintaining a safe website where student data is appropriately protected. If you've discovered a security issue in Khan Academy, we'd love to work with you. Please let us know about it and we'll fix the issue as soon as we can.\n\n# Scope\n- We're interested in technical vulnerabilities in any *.khanacademy.org website or in our official mobile apps ([iOS](https://itunes.apple.com/us/app/khan-academy/id469863705?mt=8), [Windows 8](http://apps.microsoft.com/windows/en-us/app/khan-academy/d23cc2b2-c105-4db3-9946-e44bacc56f7b))\n- Our [API](https://github.com/Khan/khan-api/wiki/Khan-Academy-API) includes an [OAuth flow](https://github.com/Khan/khan-api/wiki/Khan-Academy-API-Authentication) for authorizing access to a Khan Academy account\n- Our [computer programming section](https://www.khanacademy.org/computing/cs) intentionally allows the execution of user-provided JavaScript, but execution is sandboxed to an iframe on a different domain (kasandbox.org); running arbitrary JS within the iframe is not considered a vulnerability unless it leads to another attack\n- Parts of our website and infrastructure are [open source on GitHub](https://github.com/Khan)\n- Some parts of our site are hosted by third parties on subdomains (including [shop](http://shop.khanacademy.org/), [life](http://life.khanacademy.org/), [crowdin](http://crowdin.khanacademy.org/), emails); we're less interested in these vulnerabilities unless they lead to a vulnerability in the main site\n- If you need a Khan Academy account (or two) to test your vulnerability, create a new one; don't use another user's account\n\nTo be considered a valid vulnerability, you must be able to demonstrate a way to negatively impact other users. Methods of changing your own experience - including granting yourself energy points - are not considered security issues.\n\nNon-security-related issues can be reported to our public bug tracker, Zendesk: https://khanacademy.zendesk.com.\n\n# Thanks\nWe believe in recognizing the work of others. If your work helps us improve the security of our website, we'd be happy to acknowledge your work in our [Hall of Fame](https://hackerone.com/khanacademy/thanks) and to make you the proud owner of a [Friendly Hacker](https://www.khanacademy.org/badges/friendly-hacker) badge on Khan Academy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-01-11T19:15:53.998Z"},{"id":1671003,"new_policy":"At Khan Academy, we're a small, non-profit team trying to give a free, world-class education to anyone, anywhere.\n\nWe're committed to maintaining a safe website where student data is appropriately protected. If you've discovered a security issue in Khan Academy, we'd love to work with you. Please let us know about it and we'll fix the issue as soon as we can.\n\n# Scope\n- We're interested in technical vulnerabilities in any *.khanacademy.org website or in our official mobile apps ([iOS](https://itunes.apple.com/us/app/khan-academy/id469863705?mt=8), [Windows 8](http://apps.microsoft.com/windows/en-us/app/khan-academy/d23cc2b2-c105-4db3-9946-e44bacc56f7b))\n- Our [API](https://github.com/Khan/khan-api/wiki/Khan-Academy-API) includes an [OAuth flow](https://github.com/Khan/khan-api/wiki/Khan-Academy-API-Authentication) for authorizing access to a Khan Academy account\n- Our [computer programming section](https://www.khanacademy.org/computing/cs) intentionally allows the execution of user-provided JavaScript, but execution is sandboxed to an iframe on a different domain (kasandbox.org); running arbitrary JS within the iframe is not considered a vulnerability unless it leads to another attack\n- Parts of our website and infrastructure are [open source on GitHub](https://github.com/Khan)\n- Some parts of our site are hosted by third parties on subdomains (including [shop](http://shop.khanacademy.org/), [life](http://life.khanacademy.org/), [crowdin](http://crowdin.khanacademy.org/), emails); we're less interested in these vulnerabilities unless they lead to a vulnerability in the main site\n- If you need a Khan Academy account (or two) to test your vulnerability, create a new one; don't use another user's account\n\n# Thanks\nWe believe in recognizing the work of others. If your work helps us improve the security of our website, we'd be happy to acknowledge your work in our [Hall of Fame](https://hackerone.com/khanacademy/thanks) and to make you the proud owner of a [Friendly Hacker](https://www.khanacademy.org/badges/friendly-hacker) badge on Khan Academy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-07-16T11:54:13.976Z"}]