Security

Last Updated: March 1, 2026

Introduction

At BrainUs LK, the security of our platform and the safety of our users (especially students) is a top priority. We value the contributions of the security research community and believe that coordinated disclosure of vulnerabilities helps keep everyone safer.

If you have discovered a security vulnerability in any of our systems, we encourage you to let us know immediately. We welcome the opportunity to work with you to resolve the issue promptly and responsibly.

This is a Vulnerability Disclosure Program (VDP). We do not currently offer monetary rewards.

Our commitment to you:

  • We will acknowledge your report within 5 business days.
  • We will work to validate and remediate confirmed vulnerabilities as quickly as possible.
  • We will not pursue legal action against researchers who act in good faith under this policy.

Scope

This policy applies to all BrainUs LK-owned systems and services, including:

  • brainus.lk (main website)
  • learn.brainus.lk (learning platform)
  • chat.brainus.lk (BrainUs AI)
  • api.brainus.lk (backend API)
  • developers.brainus.lk (developer portal)
  • BrainUs AI SDKs (@brainus/ai on npm, brainus-ai on PyPI)
  • Any associated APIs and mobile apps

How to Report

Submit your report via HackerOne or email us directly. Both go to the same inbox.

Recommended

Submit via HackerOne

Alternative

[email protected]

What to Include

To help us triage your report effectively, please include:

  • A description of the vulnerability and its potential impact
  • The affected URL(s), endpoint(s), or component(s)
  • Step-by-step instructions to reproduce the issue
  • Any supporting material (screenshots, videos, PoC code)
  • Your contact information (optional, anonymous reports are welcome)

What to Expect

01

Acknowledgement

We will acknowledge receipt of your report within 5 business days.

02

Validation

Our team will investigate and validate the reported vulnerability. We may reach out with follow-up questions.

03

Remediation

We will work to resolve confirmed vulnerabilities and keep you updated on our progress.

04

Disclosure

We follow coordinated disclosure practices. We'll notify you before any public disclosure and credit you if you wish.

Research Guidelines

To keep testing safe for everyone, please follow these rules during your research:

You must

  • Use a dedicated test account you own. Do not test on real user accounts.
  • Limit testing to confirming the vulnerability exists. Do not exploit further than necessary.
  • Stop and report immediately if you unexpectedly access user data.
  • Report findings promptly. Do not sit on vulnerabilities.

You must not

  • Access, download, modify, or delete data belonging to other users.
  • Perform Denial of Service (DoS) or disruptive load testing.
  • Use automated scanners in a way that degrades service for other users.
  • Pivot to other systems or users once a vulnerability is found.
  • Disclose the vulnerability publicly before we have resolved it.

Safe Harbor

We consider security research conducted under this policy to be authorized. If you act in good faith and follow this policy, we will:

  • Not pursue civil or criminal legal action against you
  • Not report your research activities to law enforcement
  • Work with you to understand and resolve the issue quickly

Good faith means: avoiding privacy violations, not disrupting our services, not accessing or modifying user data beyond what is necessary to demonstrate the vulnerability, and reporting promptly without exploiting the issue.

Out of Scope

The following issues are generally considered out of scope and may not receive a response:

  • Denial of Service (DoS/DDoS) attacks
  • Social engineering or phishing of BrainUs staff or users
  • Physical security vulnerabilities
  • Spam or email deliverability issues
  • Vulnerabilities in third-party services not under our control
  • Reports that require unlikely user interaction (e.g., self-XSS)
  • Missing security headers with no demonstrable impact
  • Theoretical vulnerabilities without a working proof of concept

AI safety concerns (jailbreaks & prompt injection)

Attempts to jailbreak BrainUs AI or exploit prompt injection vulnerabilities are outside the scope of this security program. If you have concerns about AI safety or model behaviour, please contact us separately at [email protected].

Disclosure Timeline

We follow coordinated disclosure. Once you report a vulnerability, we ask that you give us time to investigate and resolve the issue before publishing any details publicly.

90-day deadline

We commit to resolving confirmed vulnerabilities within 90 days of your report. After 90 days, you are free to disclose publicly, even if the issue is not yet fully resolved. If we need more time and you are willing to extend, we will request this explicitly and agree on a new deadline together.

For critical vulnerabilities actively being exploited, we may request an earlier disclosure date or coordinate a shorter timeline with you directly.

Contact

For security-related enquiries, please contact us at [email protected]. For all other enquiries, visit our Help Centre.

This policy applies to BrainUs LK and all services operated under the brainus.lk domain.