Responsible Security Disclosure Policy

Working with the Cyber Security Research Community to improve our online security

Introduction

Pearson is committed to protecting our customers, learners, employees, stakeholders and indeed our company. We welcome the opportunity to work in cooperation with well-intentioned and ethical Cyber Security Researchers to identify and thoroughly investigate and resolve all security issues in our Platforms, Systems or Services, to ensure the protection of the Information and Data that has been entrusted to us.

This policy defines the method and rules of engagement by which Pearson can work with the Cyber Security Research Community to improve our online security.

Bug Bounty

Currently, we do not offer a paid bug bounty programme. We will however, welcome feedback from well-intentioned and ethical Cyber Security Researchers who take the time and effort to investigate and report security issues in our Platforms and Services in accordance with this policy.

Scope

This policy applies only to Pearson products and services which have a security.txt file in their root. Subdomains are considered in scope provided their parent domain is in scope. (i.e. The existence of: https://<pearson.com>/security.txt means that shop.pearson.com and www.pearson.com are also in scope.).

This policy applies only to vulnerabilities which are original, previously unreported by an external party and not already discovered by internal vulnerability assessment and other procedures.

The following security issues are not in scope; please don’t report them:

• Volumetric vulnerabilities (I.e. overwhelming our service with a high volume of requests).
• TLS configuration weaknesses (I.e. "weak" ciphersuite support, TLS1.0 support, sweet32)
• Non-exploitable vulnerabilities
• Gaps in common "best practice" such as missing security headers (CSP, x-frame-options, x-prevent-xss etc) or suboptimal email related configuration (SPF, DMARC etc).
• Improper session management / session fixation vulnerabilities. 

Responsible Security Disclosure Policy

Cyber Security Researchers shall investigate security issues in Pearson Platforms and Services only in accordance with the requirements set out in this policy. Such research into Pearson Platforms and Services that does not comply with this policy may be considered malicious activity towards Pearson and legal action may be taken as necessary.

Anyone investigating security issues in Pearson Platforms and Services shall investigate security issues in Pearson Platforms and Services in accordance with the following principles and requirements:

• Respect our Learners, Customers and Employees privacy. You must not attempt to access anyone’s data, personal or otherwise. This includes, but is not limited to, usernames, passwords and other credentials. In the event that you gain access to anyone’s data, personal or otherwise, you must contact us immediately by emailing responsible.disclosure@pearson.com. You must not save, store or transmit this information.
• Act in good faith.  You must report any issues found to us in good faith with no conditions attached by emailing responsible.disclosure@pearson.com.
• Work with us. You must promptly report any findings to Pearson by emailing responsible.disclosure@pearson.com. You must stop your investigations after you have found the first security issue and request permission to continue testing. You must allow us a reasonable amount of time to resolve the security issue before publicly disclosing it.

Anyone investigating security issues in Pearson Platforms, Systems or Services shall not:

• Violate the privacy rights of Pearson Staff, Learners, Customers, Stakeholders and Third-Party Partners.
• Break the law or any agreement they have with Pearson or a third-party;
• Access unnecessary amounts of data. Only access the amount of data necessary to demonstrate the vulnerability to Pearson;
• Exfiltrate data. Instead they shall use a Proof of Concept to demonstrate a vulnerability;
• Share or redistribute any data retrieved from Pearson Platforms, Systems or Services with anyone other than your dedicated Pearson Security contact or responsible.disclosure@pearson.com;
• Disclose any vulnerabilities (or associated details) found in Pearson Platforms, Systems or Services with anyone other than your dedicated Pearson Security contact or responsible.disclosure@pearson.com. If the vulnerability is directly relevant to a third-party, the vulnerability may be disclosed but how it relates to Pearson must not be disclosed or referenced.
• Test Platforms, Systems and Services that do not fall within the scope of this policy;
• Test for security issues that do not fall within the scope of this policy;
• Disable security controls for Pearson Platforms, Systems or Services;
• Alter the configuration of Pearson Platforms, Systems or Services;
• Attempt to introduce malware or malicious code or programs;
• Disrupt the availability of Pearson Platforms, Systems or Services to Users (I.e. Denial-of-Service);
• Provide anyone else with access Pearson Platforms, Systems or Services;
• Delete, destroy or modify any data on Pearson Platforms, Systems or Services;
• Perform any form of social engineering against Pearson Staff, Customers, Learners, Stakeholders or Third-Party Partners;
• Send messages from or to any Pearson Identity that could reasonably be considered to be spam, harassment, non-inclusive or unethical;
• Perform any testing of physical security;
• Perform Brute-Force or any other password attacks against Pearson users.

Anyone investigating security issues in Pearson Platforms, Systems or Services shall:

• Use a device running fully licenced software, that is fully patched, has fully encrypted storage and has an Internet security suite installed (Anti-Virus, MMC removal, personal firewall, intrusion prevention).
• Protect any information or data about or retrieved from Pearson Platforms, Systems or Services from unauthorised access and use.
• Securely delete any information or data about or retrieved from Pearson Platforms, Systems or Services as soon as it is no longer required.

Reporting a Security Issue

If you have discovered a Cyber Security Issue which you believe falls within the scope of this policy, please email responsible.disclosure@pearson.com with the following information:

• The URL of the Pearson Platform, System or Service;
• Code version number, if applicable.
• Description of the vulnerability
• Steps needed to reproduce the vulnerability, including any proof-of-concept.
• Screenshots
• The IP address from which you performed the testing. This will enable us to view logs related to your testing;
• Details of the browser and Operating System used during testing;
• Clearly identify your traffic (I.e. a unique custom HTTP header such as X-Jisc-CVD:<youremail@address>);
• Demonstrate root level access using touch /root/<uniqueid>;
• How you prefer to be contacted.

What to expect

We will aim respond to your email within 24 hours. Our initial response will include a ticket reference number, which you can quote in any further communications with our Security Team.

Our Security Team will assess the reported vulnerability. They will contact you to verify whether or not the reported vulnerability falls within the scope of this policy and to ask for any additional information as required.

Remediation work will be assigned to the appropriate teams and/or supplier(s) and will be prioritized based on the severity of impact to Pearson and the likelihood of exploitation.

You are welcome to enquire about the status of the process, but please limit this to no more than once every 14 days. Our Security Team will notify you when the reported vulnerability has been remediated and will ask you to confirm that the solution is adequate.

We will then ask for your feedback on Pearson’s engagement and vulnerability resolution approach. Your feedback will remain strictly confidential and will only be used to help us improve on our engagement, vulnerability resolution approach and, in turn, the security of Pearson’s Platforms, Systems and Services.

Legalities

This policy is designed to be compatible with common good practice among well-intentioned and ethical Cyber Security Researchers. It does not give you permission to act in any manner that is inconsistent with legal and regulatory compliance or cause Pearson to be in breach of any of its legal and regulatory obligations, including but not limited to:

• The Computer Misuse Act (1990)
• The General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018
• The Copyright, Designs and Patents Act (1988)