Exampia takes security seriously because learners may use our products for high-stakes exam preparation. This page explains the baseline protections for the website and how to report a security issue.

Security contact

Report suspected vulnerabilities to security@exampia.com. Please include affected URLs, steps to reproduce, impact, and any relevant screenshots or request IDs. Do not include personal data unless it is necessary to demonstrate the issue.

Security.txt

A machine-readable vulnerability disclosure file is available at /.well-known/security.txt. The file points researchers to this policy page and the security contact address.

Scope

The current public disclosure scope is:

• the Exampia public website;
• public pages under the production domain;
• the contact form and public API endpoints owned by Exampia.

The Exampia practice app, mobile apps, payment systems, and third-party services may have separate scopes and rules when they are made available.

Out of scope

Please do not perform:

• denial-of-service testing, stress testing, or automated high-volume scanning;
• social engineering, phishing, or physical attacks;
• accessing, modifying, deleting, or exfiltrating data that does not belong to you;
• testing against third-party platforms such as app stores, payment providers, analytics vendors, or hosting control panels;
• public disclosure before Exampia has had a reasonable chance to investigate and remediate.

Safe harbor

If you act in good faith, stay within this policy, avoid privacy harm, and report findings promptly, Exampia will not intentionally pursue legal action against you for the security research itself. This does not authorize access to third-party systems or destructive testing.

Response process

We aim to acknowledge valid reports within 3 business days, provide an initial assessment within 10 business days, and keep the reporter updated for confirmed issues. Timelines may vary based on severity and remediation complexity.

Current protections

• HTTPS-only deployment through the hosting platform and edge infrastructure;
• security headers including CSP, frame protection, content-type protection, referrer policy, and permissions policy;
• dependency auditing during development;
• server-side validation for contact form submissions;
• minimal third-party scripts on the public website;
• no analytics cookies by default.

Data handling during reports

Security report data is used only to validate, remediate, and document the issue. We retain report correspondence for a reasonable period for audit and security-history purposes.

Bug bounty

Exampia does not currently operate a paid bug bounty program. We appreciate responsible reports and may add an acknowledgement program later.

Related pages

See the Privacy Policy and Terms of Service for data protection and acceptable-use rules.

Canonical policy URL: https://exampia.com/en/security