menu opener
Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
QUICK LINKS
Log In Parent, Student Resource Center Contact Us Request Demo

PowerSchool Responsible Disclosure Program

Report a Vulnerability

PowerSchool, a leading provider of education technology solutions for K-12 and Higher Education is committed to being a good custodian of student data—taking all reasonable and appropriate countermeasures in ensuring data confidentiality, integrity and availability.  We believe that the safe collection and management of student data is essential to student success within the 21st Century digital classroom.

We value the contributions of independent security researchers who invest time and effort to make our applications more secure.  Accordingly, we encourage responsible reporting of any potential areas for improvement or vulnerabilities that may be found in our applications.  We are committed to working with security researchers to verify and address any potential vulnerabilities reported to us.

Please review all terms before exploring or reporting any vulnerabilities.  This program is in place for all of PowerSchool’s products and services.  Note that this disclosure program does not apply to any of your security research that involves the networks, systems, information, applications, devices, products or services of another party.  We cannot and do not authorize security research in the name of other entities.

Reporting a vulnerability

To report a potential security issue or vulnerability with a PowerSchool branded product or technology (which includes PeopleAdmin and Schoology products and technologies), please submit our vulnerability submission form or email the discovered potential issue or vulnerability to us, providing us with:

  1. the name(s) of the product or technology at issue
  2. the potential impact of the vulnerability
  3. details of the potential security issue or vulnerability (including a description of your discovery with clear, concise reproducible steps) and
  4. a working proof-of-concept

If you do not explain the potential security issue or vulnerability in detail, there may be delays in our response.  Please be sure to encrypt all submissions containing sensitive information. If you are having trouble encrypting your vulnerability report or have any questions about the process send a message to security@powerschool.com.  We will work with you to identify a method to securely transmit your vulnerability report.

We will work with you to assess and understand the scope of the issue and fully address any concerns.  Submitted potential vulnerabilities are initially reviewed, triaged and assessed in detail to determine the risk level of the vulnerability.  By submitting a potential vulnerability, you agree to permit PowerSchool a reasonable time to assess and remedy the reported vulnerability, not to share or publicize an unresolved vulnerability with/to third parties and keep all communication regarding the potential vulnerability confidential.

Security Researcher Recognition

PowerSchool appreciates and wants to recognize every individual researcher who submits a vulnerability report helping us improve our overall security posture. Although vulnerabilities submitted do not offer monetary rewards, PowerSchool is eager to highlight researchers working to make our environment safer.

To recognize research partners, PowerSchool may feature researchers who make significant contributions if they are first to report an issue and we make a code or configuration change based on their report.  By submitting a potential security issue or vulnerability, you grant PowerSchool the right to display your name on the Security Researcher Recognition and such other media as PowerSchool may choose to publish.

Guidelines

PowerSchool agrees not to pursue claims against researchers who disclose potential vulnerabilities to this program where the researcher:

  • If reporting in the researcher’s individual capacity, or if the researcher is employed by a company or other entity and is reporting on behalf of their employer, the researcher has the employer’s written approval to submit the report to PowerSchool;
  • Do not solicit or submit vulnerabilities for consideration outside of the communication methods outlined in this PowerSchool Responsible Disclosure Program;
  • Does not cause harm to PowerSchool, our customers, or others;
  • Does not initiate a fraudulent financial transaction;
  • Does not store, share, compromise or destroy PowerSchool or customer data;
  • Provides a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during discovery (the detailed summary will allow us to reproduce the vulnerability);
  • Does not compromise the privacy or safety of our customers and the operation of our services;
  • Does not violate any national, state, or local law or regulation;
  • Does not publicly disclose vulnerability details without PowerSchool’s written permission;
  • Does not deploy automated scans on PowerSchool resources without due approval;
  • Is not currently located in or otherwise ordinarily resident in Cuba, Iran, North Korea, Sudan, Syria or Crimea;
  • Are not on a U.S. Government list of sanctioned individuals (including a Specially Designated Nationals List);
  • Is not nor has been within the last six (6) months an employee or an immediate family member of an employee of PowerSchool or its subsidiaries;
  • Is not now nor has been a vendor or contractor of PowerSchool;
  • Agrees to participate in testing mitigation effectiveness and coordinating disclosure/release/publication of your finding, if PowerSchool requests such participation; and
  • Is at least 18 years old.

Third-party bugs

If issues reported to PowerSchool affect a third-party library or another vendor, PowerSchool reserves the right to forward details of the issue to that party without further discussion with the researcher.  We will do our best to coordinate and communicate with researchers through this process.

Sensitive and Personal Information

Never attempt to access anyone else’s data or personal information including by exploiting a vulnerability.  Such activity is unauthorized.  If during your testing you interacted with or obtained access to data or personal information of others, you must:

  • Stop your testing immediately and cease any activity that involves the data or personal information relating to the potential vulnerability.
  • Do not save, copy, store, transfer, disclose or otherwise retain the data or personal information.
  • Alert PowerSchool immediately and support our investigation and mitigation efforts.

Failure to comply with any of the above will immediately disqualify any report from potential participation in this program.

PowerSchool security team commitment

Upon submission of a potential vulnerability report, the security team and associated development organizations will use reasonable efforts to:

  • Respond in a timely manner, acknowledging receipt of your submission;
  • Provide an estimate time frame for addressing the reported potential vulnerability;
    • PowerSchool commits to addressing vulnerabilities determined to be critical within ninety (90) days from the date the vulnerability is validated;
  • Notify you upon fixing the vulnerability.