Celerity Logo

Responsible Disclosure Policy

Last updated: March 10, 2026

1. Introduction

Celerity Education Data Systems welcomes security researchers who help us keep our platform and customer data safe. If you discover a vulnerability, we want to hear about it and will work with you to resolve it promptly.

2. Safe Harbor

If you comply with this policy, Celerity commits to:

  • Not pursuing legal action against you for security research conducted in accordance with this policy
  • Not reporting you to law enforcement for activities conducted under this policy
  • Working with you to understand and resolve the issue quickly

3. Scope

In Scope

  • Celerity Data Hub console
  • Celerity API endpoints
  • Authentication services
  • celerityedu.com marketing website

Out of Scope

  • Customer-deployed node hardware or networks
  • Third-party services (AWS, Stripe, Google)
  • Physical security testing
  • Social engineering of Celerity staff or customers
  • Denial of service (DoS/DDoS) attacks

4. Rules

To qualify for safe harbor, you must:

  • Not access customer data — If you discover you can access real customer data, stop immediately and report it
  • Not modify or destroy data — Demonstrate the vulnerability without causing harm
  • Not disrupt service — Avoid actions that could affect platform availability
  • Report privately — Contact us before any public disclosure
  • Give us reasonable time — Allow 90 days from report to fix before any public disclosure
  • Act in good faith — Your intent must be to improve security

5. How to Report

Email: security@celerityedu.com

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact assessment
  • Your contact information (for follow-up)
  • Screenshots or proof-of-concept if available

Encryption: If you need to send sensitive details, request our PGP key at the email above.

6. Our Commitment

ActionTimeline
Acknowledge your reportWithin 3 business days
Initial assessmentWithin 7 business days
Status updateWithin 14 business days
Fix deployed (critical)Within 30 days
Fix deployed (non-critical)Within 90 days

7. Recognition

With your permission, we will:

  • Credit you by name (or alias) on our security acknowledgments page
  • Provide a written reference letter upon request

Celerity does not currently offer monetary bounties, but we reserve the right to offer compensation for exceptional findings at our discretion.

This policy is inspired by disclose.io best practices.

Celerity Logo
© Copyright 2026 Celerity Education Data Systems Inc.