ELSA Security Disclosure Program

Last Updated: December 2024

Our Commitment to Security

At ELSA Corp, we take the security and privacy of our users seriously. We serve over 50 million learners worldwide, and protecting their data is our top priority. We value the security research community and welcome responsible disclosure of potential security vulnerabilities in our systems.

Program Overview

This is an invitation-only security research program designed to work with a select group of trusted security researchers. We believe in building long-term partnerships with the security community rather than opening ourselves to unlimited submissions.

Program Type: Private, Invitation-Only
Reward Budget: Modest monetary rewards + ELSA Premium subscriptions
Focus: Quality over quantity

How to Report a Security Vulnerability

Contact Information

Primary Contact: security@elsaspeak.com

What to Include in Your Report:

• Clear description of the vulnerability
• Detailed steps to reproduce the issue
• Proof of concept (screenshots, videos, or code samples)
• Potential security impact assessment
• Your contact information
• Any additional tools or configuration needed to reproduce

Response Timeline
We are committed to responding promptly to security reports:

• Initial Response: Within 3 business days
• Validation & Triage: 1-2 weeks
• Status Updates: Every 2 weeks until resolution
• Resolution Target: 30-90 days depending on severity

Scope

✅ In-Scope Assets

We welcome security research on the following production systems:

APIs and Backend Services:

• api.elsanow.io/* – All API endpoints
• accounts.elsaspeak.com – Authentication and account management
• Mobile API endpoints (iOS and Android app backends)

Web Applications:

• B2B admin portals and dashboards
• User-facing web applications on *.elsaspeak.com
• Payment processing flows

Mobile Applications:

• ELSA Speak iOS app
• ELSA Speak Android app
• (Backend APIs only – UI/UX bugs are not in scope)

❌ Out-of-Scope

The following are explicitly not in scope and will not qualify for rewards:

Environments:

• Staging, development, or test environments (unless exposing production data)
• Internal employee systems
• *-stag.elsanow.co domains
• *-stag.elsaspeak.com domains

Third-Party Services:

• Firebase, AWS, Cloudflare configurations (unless directly exploitable)
• CDN or infrastructure provider vulnerabilities
• Third-party integrations and plugins

Attack Types:

• Denial of Service (DoS/DDoS) attacks
• Physical security attacks
• Social engineering (phishing, vishing, etc.)
• Spam or brute force attacks
• Automated vulnerability scanning without prior approval

Non-Security Issues:

• UI/UX bugs without security impact
• Feature requests
• Performance issues
• Spelling/grammar errors

Vulnerability Severity Classification

We classify vulnerabilities based on their potential impact using the following criteria:

Severity	Examples	Reward
🔴 Critical	Remote Code Execution (RCE), SQL Injection with data exfiltration, Authentication bypass, Mass PII exposure, Payment fraud, SSRF with significant impact	$50 + Lifetime Premium
🟠 High	Account takeover, Privilege escalation, IDOR with sensitive data, XSS with significant impact, Auth/session flaws, API key exposure	$25 + 1Y ELSA Premium
🟡 Medium	XSS with limited impact, CSRF on sensitive actions, IDOR with limited exposure, Info disclosure of non-sensitive data, Missing security headers	3 months ELSA Premium + Recognition
🟢 Low	Security misconfigurations with minimal impact, Minor info disclosure, Minor auth weaknesses, CSRF on non-sensitive actions	1 month ELSA Premium + Recognition
ℹ️ Info	Security best practices, Low-impact configs, Findings without clear exploit path	Thanks + Recognition

Reward Structure

Monetary Rewards

Valid, original security vulnerabilities will be eligible for monetary rewards based on severity:

• Critical: Up to $50
• High: $25
• Medium & Low: Recognition only

ELSA Premium Subscriptions

In addition to monetary rewards, validated findings will receive:

• Critical/High: ELSA Lifetime or 1-Year Premium
• Medium/Low: ELSA Premium subscription
• Access to all premium features and content

Recognition

With your permission, we will:

• List your name on our Security Researchers Hall of Fame
• Provide LinkedIn recommendations
• Publicly acknowledge your contribution (with your consent)

Payment Process

• Vulnerability is validated by our security team
• Severity is assessed and reward is determined
• Payment is processed within 30 days of fix deployment
• Payments via bank transfer, PayPal, or cryptocurrency (Bitcoin/Ethereum)

Safe Harbor

ELSA Corp is committed to protecting security researchers who act in good faith. We will not pursue legal action against researchers who:

Protected Activities

• Test responsibly: Conduct security research only on in-scope systems
• Minimize impact: Avoid actions that degrade service or affect users
• Respect privacy: Do not access, modify, or delete user data beyond what’s necessary to demonstrate the vulnerability
• Report promptly: Disclose vulnerabilities through proper channels within a reasonable timeframe
• Keep confidential: Do not publicly disclose vulnerability details until we’ve had adequate time to address the issue

Required Conduct

Security researchers must:

• Do not access or modify user data beyond what is minimally necessary to demonstrate the vulnerability
• Do not perform Denial of Service attacks or other disruptive testing
• Do not leverage the vulnerability for personal gain beyond the scope of this program
• Do not publicly disclose vulnerability details until we confirm the fix is deployed
• Comply with all applicable laws in your jurisdiction and ours
• Act in good faith at all times

Frequently Asked Questions

Q: Is this program open to everyone?
A: Currently, this is an invitation-only program. We work with a select group of trusted researchers. If you’re interested, please introduce yourself via security@elsaspeak.com with your background and experience.

Q: Can I use automated scanners?
A: Automated scanning is discouraged and may trigger our security monitoring. If you must use scanners, please request permission first and provide the source IPs you’ll be scanning from.

Q: How long does the whole process take?
A: From report to fix deployment, expect 4-12 weeks depending on severity and complexity. Critical issues are prioritized and may be fixed within days.

Q: Can I submit multiple vulnerabilities?
A: Yes! Each unique, valid vulnerability is eligible for a reward. However, we consider similar vulnerabilities in the same component as a single issue.

Q: I need production credentials to test. Can you provide them?
A: For specific testing scenarios, we may provide test accounts. Contact us at security@elsaspeak.com with your requirements.

About ELSA

ELSA (English Language Speech Assistant) is the world’s most advanced AI-powered English pronunciation coach. Our mission is to enable the 1.5 billion English learners globally to speak with confidence.
Platform: Mobile (iOS, Android) & Web
Users: 50+ million learners across 200+ countries
Technology: AI-powered speech recognition and personalized coaching

We’re committed to protecting our users’ data and maintaining the highest security standards in the EdTech industry.

Thank you for helping us keep ELSA secure!
For questions or to report a vulnerability, contact:
security@elsaspeak.com