1. Purpose

1. As a leading provider of technology products to K–12 schools worldwide, information security and data privacy is a critical aspect of Renaissance’s business. We abide by our regulatory obligations and strive to exceed the expectations of the educators we serve. We demonstrate our information security and data privacy commitments through the implementation and continuous improvement of our physical, technical, and administrative safeguards.
2. This document establishes the general framework for a Responsible Disclosure program. The Responsible Disclosure program will help Renaissance work with customers, security professionals, and other stakeholders to find and remediate security vulnerabilities in Renaissance products and services.

2. Scope

1. This process document applies to responsible disclosure processes and the related information they capture and/or generate. This process document applies to all employees worldwide, contractors, consultants, temporary employees, vendors with access to sensitive information and networks and all other workers at Renaissance.

3. General Rules for Vulnerability Disclosures

1. Renaissance will not offer rewards for disclosed vulnerabilities.
2. Renaissance reserves the right to modify the Responsible Disclosure program without notice at any time.
3. Renaissance may, in its sole discretion, remove, ignore, or disqualify any vulnerability disclosure if it does not comply with or meet the requirements of this program.
4. Only vulnerabilities found on in-scope assets are eligible for consideration. Renaissance will make a list of in-scope assets available to vulnerability reporters.
5. Asset means Renaissance applications and services as well as their supporting infrastructure.
6. Only vulnerabilities with reasonable severity scores, either based on the Common Vulnerability Scoring Standard or a valid risk assessment considering impact and likelihood, will be eligible for consideration. Consideration is wholly subject to the discretion of Renaissance.
7. Any/all information received or collected about Renaissance, our affiliates, our employees, or our customers in connection with this program are considered Confidential and will be protected as such. Breaches of confidentiality will result in legal review.

4. Vulnerability Submission Rules & Guidelines

1. Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for consideration.
2. In cases where the full context to assess the impact of a vulnerability are not available or fully certain, a report can still be submitted for review. Such reports must include steps to reproduce the issue along with descriptions of potential impacts or open questions that articulate the concern.
3. Provide timely and adequately detailed responses to any follow-up questions or requests for additional information from the Renaissance Information Security Team.
4. Report one vulnerability at a time. If multiple vulnerabilities are caused by a single underlying issue, report the underlying issue.
5. In cases where unauthorized access or destruction of data is observed, stop any further testing or discovery and immediately report the issue. Prominently note that unauthorized access or destruction of data is the result of the reported vulnerability.
6. Do not provide data artifacts or screenshots that include customer data or other potentially sensitive data.

5. Prohibitions

The following are prohibited:

1. Attempts to use this program in social engineering (phishing, vishing, or smishing).
2. Destroying or manipulating data.
3. Deliberately accessing accounts, data, or services in any unauthorized or illegal manner.
4. Degrading or disrupting Renaissance applications or services.
5. Contacting customers or other third parties.
6. Contacting Renaissance customer support about the status of vulnerabilities.
7. Submission of customer data, screenshots of customer data, videos containing customer data, unless explicitly requested by the Renaissance Information Security Team.
8. Publicly disclosing vulnerability information.
9. Compromising the privacy or safety of customers or others.
10. Any activity or attack that could be considered a denial of service.

6. Out of Scope Vulnerabilities

Effective reporting and remediation of vulnerabilities requires accurate information about the context, exploitability, and security impacts related to an issue. Renaissance will consider any of the following out of scope:

1. Clickjacking on pages with no sensitive data or actions.
2. Missing best practices in SSL/TLS configuration.
3. Missing best practices in email protocols.
4. Unauthenticated CSRF.
5. Attacks requiring a previously compromised client.
6. Self XSS.
7. Content spoofing or injection issues that rely on HTML/CSS modifications.
8. Any issue that would require volumetric attacks.
9. Any issue that requires advance knowledge of secrets or keys.

7. Security Team Responses

The Renaissance Information Security Team will make a best effort attempt to respond to disclosed vulnerabilities. In general, we will respond in accordance with the following for eligible disclosures:

1. First response to a report:  5 business days (US)
2. Subsequent responses:  3 business days (US)

8. Asking Questions

1. All questions should be directed to [email protected].