At Corporate Finance Institute (CFI), ensuring the security and privacy of our customers’ data is of paramount importance to us. We highly appreciate contributions from our community that aid in identifying any vulnerabilities within our services.
How to Report a Security Concern
If you encounter a security issue that falls outside our known non-critical vulnerabilities, please report it to us via email at [email protected], including:
- A concise description of the issue and its potential impact.
- Detailed steps required to reproduce the issue.
- The environment in which the issue was discovered.
- If possible, any proof-of-concept code that demonstrates the vulnerability.
- Upon receipt of your report, our security team will begin an investigation. We will provide updates on our progress and may contact you for additional information if necessary. Once the issue is resolved, we will inform our customers about the resolution.
To acknowledge the time and effort you invest in helping us improve our security, we may offer financial rewards for valid vulnerabilities with a CVSS score of 7 (High) or above.
Key Areas of Focus
We are particularly interested in vulnerabilities related to:
- Bypassing authentication or escalating privileges.
- Exposing personally identifiable information (PII).
- Unauthorized access to data outside authenticated sessions.
- SQL injection and remote command execution.
In Scope
The following domains and applications are within the scope of our security program:
corporatefinanceinstitute.com
learn.corporatefinanceinstitute.com
exams.corporatefinanceinstitute.com
api.corporatefinanceinstitute.com
Exclusions
The following activities are considered out of scope:
- Any form of automated scanning.
- Social engineering attempts against CFI employees.
- Denial of Service (DoS) attacks.
- Attacks requiring physical access to a device.
- Theoretical vulnerabilities lacking practical exploitability.
- Man-in-the-middle (MitM) attacks.
- Clickjacking.
- Exploits by high-privilege users (admins, owners) against their own accounts.
- Bypassing account limits to access premium features without proper authorization.
- Vulnerabilities only affecting non-critical CSP, email DNS records, or cookie settings, which might be noted but are unlikely to qualify for rewards.
Guidelines for Researchers
We ask you to:
- Test vulnerabilities only on your own account or with explicit permission.
- Make every effort to prevent privacy violations, data loss, or service disruption.
- Refrain from attempting further access if you successfully exploit our systems.
- Avoid disclosing vulnerabilities publicly before they are resolved and allow us sufficient time to address them.
Safe Harbor Provision
Activities conducted in alignment with this policy are considered authorized, and CFI will not pursue legal action against you. Should any third party initiate legal action for activities conducted under this policy, we will make it clear that your actions were compliant with our guidelines.
