McGraw Hill takes the security of our systems, products, and services seriously, and we recognize the value of the security community's expertise. We encourage responsible disclosure of vulnerabilities in our systems. Our Vulnerability Disclosure Program (VDP) provides guidelines for researchers, ethical hackers, and concerned individuals to conduct vulnerability discovery activities, and document and inform us of the results (“findings”) to aid us in ensuring that our customers and learners remain safe.
McGraw Hill defines a security vulnerability as an unintended weakness or exposure that could be used to compromise the confidentiality, integrity, or availability of our platforms, products, services, or user base.
The following discovery methods are not authorized:
- Network denial of service tests (DoS or DDoS) or other tests that impair access to or damage a system or data
- Extortion, ransomware, clickjacking, or similar
- Phishing, spamming users, or other social engineering
- Reports on outdated browser
- Any non-technical vulnerability testing
Vendors, third-party websites, or connected services are not in scope and are not authorized under this policy. Please contact the third-party directly if you believe anything should be reported.
If you believe you have discovered a potential or real security vulnerability in one of our products or services, we encourage you to notify us within 48 hours after discovery through our Vulnerability Disclosure Program. Findings may be submitted anonymously.
Please provide all details available to you, including screenshots, to help us conduct our investigation, but do not undertake any research beyond what is necessary to provide your submission. All submissions must be made through the link provided above.
By submitting findings, you acknowledge that you have no expectation of payment and expressly waive any future pay claims against McGraw Hill related to your submission.
After receiving your submission, we or our service provider will acknowledge receipt within 3 business days, we will conduct a thorough investigation, and take appropriate action for resolution.
After submitting your findings to McGraw Hill, we ask you to:
- Protect the findings and all gathered evidence from unauthorized use
- Do not disclose the findings publicly or with any third party
- Do not use the information related to the findings for any purpose outside of submitting your submission to McGraw Hill
- If you encounter any personally identifiable information, stop your activity and submit a report immediately
- Do not use accounts other than your own, compromise any data other than your own, or perform any tests that will disrupt services or impair users’ ability to access the services
- Destroy any confidential data or records obtained in your discovery
If you follow the guidelines listed in this policy, McGraw Hill will not pursue any legal action against you related to your research. Disclosure of your findings to any party other than McGraw Hill will be considered as noncompliant with our guidelines and not protected by our Safe Harbor policies.
When conducting security research within the rules of this policy, we consider such research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate legal action against you
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls
- Lawful, helpful to the security of McGraw Hill, and conducted in good faith
You are expected at all times to comply with all applicable laws including those related to privacy and security of personal information. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via Bugcrowd before going any further.
We greatly appreciate the dedication and support of researchers and individuals who help us in our mission to provide the highest level of security for McGraw Hill.