Security

Responsible Vulnerability
Disclosure Program

Last Updated: Jan 29, 2026

At Stepwik, the security of our systems, customer data, and the integrity of our documentation platform is our top priority. We believe the security research community plays a vital role in identifying and mitigating potential threats.

If you are a security researcher and believe you have found a vulnerability in Stepwik's services, we encourage you to report it to us. We are committed to working with you to verify and address potential issues in a responsible manner.

1. Program Scope

Please review the following to understand which targets are eligible for research and which are strictly prohibited.

In-Scope Assets

  • stepwik.com and its subdomains (e.g., app.stepwik.com, docs.stepwik.com)
  • Stepwik API endpoints

Out-of-Scope / Prohibited Testing

The following types of testing are strictly prohibited:

  • DoS/DDoS: Denial of Service or Distributed Denial of Service attacks.
  • Social Engineering: Phishing, vishing, or any deception of Stepwik employees, customers, or partners.
  • Physical Security: Attacks against Stepwik offices, data centers, or property.
  • Data Destruction: Any testing that modifies, corrupts, or deletes data.
  • Third-Party Services: Vulnerabilities in third-party integrations unless the issue lies in Stepwik's implementation.
  • Spam: Automated vulnerability scanners that generate excessive traffic.

2. Reporting Guidelines

If you discover a vulnerability, please report it via email at security@stepwik.com. Please include the following in your report:

  • Summary: A brief description of the vulnerability.
  • Steps to Reproduce: Clear, step-by-step instructions (text, screenshots, or video) to help us replicate the issue.
  • Impact: A description of how this vulnerability could be exploited and what data or systems it affects.
  • Proof of Concept (PoC): Non-destructive scripts or evidence demonstrating the flaw.

3. Our Response & Commitment

When you report a vulnerability in accordance with this policy, Stepwik commits to:

  • Acknowledge receipt of your report within 2–5 business days.
  • Review and verify the issue promptly.
  • Remediate the vulnerability in a timely manner.
  • Notify you when the issue has been resolved.
  • Safe Harbor: We will not pursue legal action against researchers who discover and report vulnerabilities in good faith and in compliance with this policy.

4. Recognition

While we do not currently offer a bug bounty (cash reward) program, we are happy to offer a Certificate of Appreciation or a mention in our Security Hall of Fame for valid, non-trivial reports that help us secure our platform.

5. Important Legal Terms

By participating in this program, you agree to:

  • Adhere to all applicable laws and regulations.
  • Not disclose the vulnerability to the public or third parties until Stepwik has resolved the issue and granted permission for disclosure.
  • Test only on accounts you own or have explicit permission to test.

Questions about this program? Reach out at security@stepwik.com.