Security & Vulnerability Disclosure

Found a bug? Tell us.

We take the security of student and family data seriously. This page describes how to report vulnerabilities and what you can expect in return. Last updated May 19, 2026.

Reporting a vulnerability

Email security@dismissal.ai.

Include enough detail for us to reproduce: a description, the URL or component affected, steps to reproduce, and the impact you believe it has. We answer security mail in person, not through a form.

Security contact
security@dismissal.ai
Acknowledgement
Within 2 business days
Initial assessment
Within 5 business days
Scope

What's in scope, and what isn't.

In scope

  • dismissal.ai and subdomains
  • The Dismissal admin portal and guardian portal web applications
  • Public APIs reachable from the above

Out of scope

  • Denial-of-service (DoS or DDoS) attacks against production systems
  • Social engineering of Dismissal employees, school staff, or guardians
  • Physical attacks against Dismissal facilities or deployed field hardware
  • Attacks against third-party services we depend on — report those to the relevant vendor
  • Reports based solely on automated scanner output without demonstrated impact
  • Missing security headers, cookie flags, or SSL/TLS configurations without a demonstrated exploit
  • Username or email enumeration on public endpoints
  • Self-XSS or issues requiring physical access to a victim's unlocked device
  • Vulnerabilities in unsupported or end-of-life browsers
Our commitments

When you report in good faith, here's what you get.

  • Acknowledged within 2 business days

    From a real person, not an auto-reply.

  • Initial assessment within 5 business days

    Of severity and validity, with reasoning.

  • Progress updates while remediation is underway

    Every 5 business days at minimum, more often for critical issues.

  • Public credit if you want it

    We'll happily credit you on our website and changelog, or decline to identify you if you'd prefer to remain anonymous.

  • No legal action for good-faith research

    We will not pursue civil action or initiate a complaint to law enforcement for accidental, good-faith violations of this policy.

Safe harbor

Authorized conduct under this policy.

We consider security research and vulnerability disclosure activities conducted consistent with this policy to be authorized conduct. To qualify for safe harbor, you must:

  • Avoid harm

    Make a good-faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.

  • Stay in your own lane

    Only interact with accounts you own or have explicit permission from the account holder to access. Do not access, modify, or delete data belonging to students, guardians, schools, or other users.

  • Take only the minimum

    Do not exfiltrate any data beyond the minimum necessary to demonstrate the vulnerability.

  • Disclose responsibly

    Report the vulnerability promptly and give us reasonable time to address it before public disclosure (we suggest 90 days).

  • Use the finding only to report it

    Not for any other purpose.

Special note on student data.

Dismissal processes information about minors. If your research could touch student or family data, stop and contact us first at security@dismissal.ai to coordinate testing. We're glad to work with you on a safe testing approach.

Rewards & practices summary

Where we are today, and how we protect data.

Rewards

Dismissal does not currently operate a paid bug bounty program. We credit researchers publicly with their permission and may offer Dismissal-branded thanks for high-impact findings. We hope to introduce monetary rewards as the company grows.

Security practices in production

  • TLS 1.2+ for all data in transit; encryption at rest
  • Federated identity with role-based access controls
  • Least-privilege defaults for administrative access
  • Comprehensive audit logging of administrative actions
  • Automated dependency updates and security scanning
  • Documented subprocessor review (inventory available to district customers under DPA)
  • 72-hour breach notification commitment in our DPA

Detailed architecture, named subprocessors, and incident-response runbooks are released to district customers under DPA.

Other security questions

Not a vulnerability? Different inbox.

Security questionnaires, DPAs, certification status, and incident notifications go to privacy@ so the security@ inbox stays focused on real vulnerability reports.

Vulnerability reportssecurity@dismissal.ai
Questionnaires & DPAsprivacy@dismissal.ai
Trust posture/trust