# Kahoot! Responsible Disclosure Policy

Kahoot! is a global learning platform company that wants to empower everyone, including children, students, and employees, to unlock their full learning potential. Our learning platform makes it easy for any individual or corporation to create, share, and play learning games that drive compelling engagement. Kahoot! games can be played anywhere, in person or virtually, using any device with an internet connection. 

The security of our customers' data is very important to us. We aim to design and operate all our systems to the highest standards in regards to all aspects of security and availability. We can however not rule out that vulnerabilities can be found on our platform. We strongly believe that attempted cyber attacks should be detected and stopped at an early stage in order to avoid potentially serious consequences for the customer's business. Through responsible vulnerability research you can help us avoid attacks. This Responsible Disclosure Policy sets out what we expect from you when working with us.


# Mutual Expectations

When working with us you can expect that we:

- Respond in a timely manner to your report.
- Work to understand and validate your findings.
- Recognise your contribution to improving our security.

We expect from you that you; 

- Do not exploit or use the found vulnerabilities for any other purpose than reporting to Kahoot!
- Do not engage, nor will engage in researching systems with the intention of harming Kahoot!, our customers or partners.
- Do not use or misuse any data you have accessed in relation to the discovered vulnerability.
- Do not engage in social engineering, spamming, phishing or denial-of-service attacks.
- Do not test the physical security of any property or office of Kahoot!
- Do not break any applicable laws in connection with your report to Kahoot!
- Agree to not disclose to any third party any information related to your report, including the vulnerabilities reported and the fact that vulnerabilities have been reported.
- Agree that you are making your report without any expectation or requirement of a reward or other benefit.


# Scope

Only configurations managed by or systems operated and/or hosted by Kahoot for use by Kahoot are in scope for our Responsible Disclosure Policy.

Kahoot uses cloud computing services to build most of our customer-facing resources. These services will have their own policies for security research and responsible disclosure and are not covered by this policy.

Please contact us at security@kahoot.com if you have any questions about scope.


# Submission of report

When submitting a report to us you should at a minimum include the following information;  

- Vulnerability classification (Critical/High/Medium/Low)

- Short description

- Steps to reproduce (please be as detailed as possible; include screenshots if applicable)

- Asset/URL

- Date and time of your testing

- Preferred contact method (e.g. phone, email)

Please encrypt the report if possible using the public key listed in security.txt 


# Ground Rules

To encourage  research and to avoid any confusion between legitimate research and malicious attack, we ask that you attempt, in good faith, to:

- Play by the rules, including this policy any other relevant agreements

- Promptly report any vulnerability you have discovered

- Avoid breaking the Confidentiality, Integrity or Availability of our systems and data

- Avoid violating the privacy of others

- Don't engage in extortion.


# Safe Harbor

For responsible disclosure submitted in accordance with and respecting our Responsible Disclosure Policy, related to systems that are configured by or operated by Kahoot, we will not take legal action against you.

You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. 

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.


# Rewards

Kahoot does not offer fixed rewards in the form of money or give-aways.  

We respect your work and the high integrity that leads to responsible disclosure.


# How to contact us

Our official communication channel is via email to security@kahoot.com. 

We prefer that you encrypt any sensitive information using our public key that can be found here; https://kahoot.com/security_public_key.txt