Skip to main content

Security & Responsible Disclosure Policy

Last updated: March 2026

At Examplary, we take the security of our platform and the protection of our users' data seriously. We welcome and appreciate the efforts of security researchers and the broader community in helping us maintain a safe and secure platform.

Scope

This policy applies to security vulnerabilities found in:

  • The Examplary web application (app.examplary.ai)
  • Examplary APIs
  • Infrastructure directly operated by Examplary

The following are out of scope:

  • Third-party services and integrations
  • Social engineering attacks against Examplary staff or users
  • Denial of service (DoS/DDoS) attacks
  • Automated scanning or testing that degrades the service for other users
  • Physical security attacks
  • Vulnerabilities in software or systems not owned by Examplary

Reporting a vulnerability

If you believe you've found a security vulnerability, please report it to us at:

📧 security@examplary.ai

In your report, please include:

  • A clear description of the vulnerability and its potential impact
  • Detailed steps to reproduce the issue
  • Any supporting materials such as screenshots, proof-of-concept code, or HTTP requests/responses
  • Your contact information for follow-up questions

What to expect

  • Acknowledgement: We will acknowledge receipt of your report within 3 business days.
  • Assessment: We will investigate and assess the reported vulnerability, keeping you informed of our progress.
  • Resolution: We aim to resolve confirmed vulnerabilities promptly, with timelines proportional to severity.
  • Disclosure: We ask that you allow us a reasonable period (typically 90 days) to address the issue before any public disclosure.

Our commitments

  • We will not pursue legal action against researchers who follow this policy.
  • We will work with you in good faith to understand and resolve the issue.
  • We will credit you (if desired) when we publicly address the vulnerability.
  • We will keep you informed about our progress throughout the remediation process.

Your responsibilities

  • Do not access, modify, or delete data belonging to other users.
  • Do not degrade the availability or performance of the platform.
  • Stop testing and report immediately if you encounter any user data.
  • Only test against accounts you own or have explicit permission to test.
  • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to address it.
  • Comply with all applicable laws.

Severity classification

We classify vulnerabilities using the following framework:

Critical — Remote code execution, authentication bypass, access to sensitive user data at scale, or compromise of encryption keys.

High — Privilege escalation, significant data exposure, stored cross-site scripting (XSS), or SQL injection.

Medium — Cross-site request forgery (CSRF), information disclosure of non-sensitive data, or access control issues with limited impact.

Low — Issues with minimal security impact, such as verbose error messages, missing security headers, or other best-practice deviations.

Data protection

Examplary processes educational assessment data, which may include student responses and grades. We recognise the sensitivity of this data and apply particular care to:

  • Data encryption in transit and at rest
  • Strict access controls and authentication
  • Regular security reviews and testing
  • Compliance with relevant data protection regulations

For more information about how we handle data, please refer to our Privacy Policy.

Contact

For security-related matters: security@examplary.ai

For general enquiries: hi@examplary.ai