Login

Responsible Vulnerability Disclosure Program

Last Updated: Jan 29, 2026

At Stepwik, the security of our systems, customer data, and the integrity of our documentation platform is our top priority. We believe that the security research community plays a vital role in identifying and mitigating potential threats.

If you are a security researcher and believe you have found a security vulnerability in Stepwik's services, we encourage you to report it to us instantly. We are committed to working with you to verify and address potential issues in a responsible manner.

Program Scope

Please review the following to understand which targets are eligible for research and which are strictly prohibited.

In-Scope Assets

  • stepwik.com (and its subdomains, e.g., app.stepwik.com, docs.stepwik.com)
  • Stepwik API endpoints

Out-of-Scope / Prohibited Testing

The following types of testing are strictly prohibited:

  • DoS/DDoS: Denial of Service or Distributed Denial of Service attacks.
  • Social Engineering: Phishing, vishing, or any deception of Stepwik employees, customers, or partners.
  • Physical Security: Attacks against Stepwik offices, data centers, or property.
  • Data Destruction: Any testing that modifies, corrupts, or deletes data.
  • Third-Party Services: Vulnerabilities in third-party integrations (e.g., payment gateways, analytics providers) unless the issue lies in Stepwik's implementation.
  • Spam: Automated vulnerability scanners that generate excessive traffic.

Reporting Guidelines

If you discover a vulnerability, please report it to us via email at security@stepwik.com.

What to include in your report:

  • Summary: A brief description of the vulnerability.
  • Steps to Reproduce: Clear, step-by-step instructions (text, screenshots, or video) to help us replicate the issue.
  • Impact: A description of how this vulnerability could be exploited and what data or systems it affects.
  • Proof of Concept (PoC): Non-destructive scripts or evidence demonstrating the flaw.

Our Response & Commitment

When you report a vulnerability in accordance with this policy, Stepwik commits to:

  • Acknowledge receipt of your report within 2-5 business days.
  • Review and verify the issue promptly.
  • Remediate the vulnerability in a timely manner.
  • Notify you when the issue has been resolved.
  • Safe Harbor: We will not pursue legal action against researchers who discover and report security vulnerabilities in good faith and in compliance with this policy.

Recognition

While we do not currently offer a bug bounty (cash reward) program, we are happy to offer a Certificate of Appreciation or a mention in our Security Hall of Fame for valid, non-trivial reports that help us secure our platform.

Important Legal Terms

By participating in this program, you agree to:

  • Adhere to all applicable laws and regulations.
  • Not disclose the vulnerability to the public or third parties until Stepwik has resolved the issue and granted permission for disclosure.
  • Testing only on accounts you own or have explicit permission to test.