Skip to content

Security & Responsible Disclosure

Last updated: 13 December 2024

Security Overview

At skillSYMS, security is fundamental to our platform. We handle sensitive learner data, including South African ID numbers and academic records, and take our responsibility seriously.

This page outlines our security practices and provides guidance for security researchers who wish to report vulnerabilities.

Infrastructure Security

skillSYMS is built on Cloudflare's secure infrastructure:

  • DDoS Protection: Enterprise-grade protection against distributed denial of service attacks
  • Web Application Firewall: Protection against common web vulnerabilities (OWASP Top 10)
  • Bot Management: Detection and mitigation of malicious automated traffic
  • Edge Network: Traffic served from 300+ data centers globally, reducing attack surface
  • Always HTTPS: All traffic encrypted with TLS 1.3

Data Protection

Encryption

  • In Transit: All data encrypted using TLS 1.3
  • At Rest: Database and storage encrypted using AES-256
  • ID Numbers: South African ID numbers additionally encrypted at the application layer and displayed masked

Data Isolation

  • Multi-tenant architecture with strict data isolation
  • Each tenant's data logically separated at the database level
  • API keys and sessions scoped to individual tenants

Backups

  • Automated daily backups with point-in-time recovery
  • Backups encrypted and stored in geographically separate locations
  • Regular backup restoration testing

Access Control

  • Role-Based Access Control (RBAC): Granular permissions based on user roles (admin, assessor, moderator, learner)
  • API Key Scoping: API keys limited to specific operations and tenant scope
  • Session Management: Secure session handling with automatic expiry
  • MFA Support: Multi-factor authentication available for administrative accounts

Monitoring and Logging

  • Audit Trails: Comprehensive logging of all data access and modifications
  • Security Monitoring: Real-time monitoring for suspicious activity
  • Incident Response: Documented procedures for security incident handling
  • Log Retention: Security logs retained for 7 years for compliance

Responsible Disclosure Policy

We appreciate the work of security researchers in helping keep skillSYMS secure. If you discover a security vulnerability, we ask that you:

  • Report it to us privately before public disclosure
  • Provide us reasonable time to investigate and fix the issue (typically 90 days)
  • Avoid accessing or modifying user data without permission
  • Avoid disrupting our services or users
  • Act in good faith

How to Report

To report a security vulnerability, please email:

security@skillsyms.com

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Any proof-of-concept code (if applicable)
  • Your contact information for follow-up

For sensitive reports, you may encrypt your email using our PGP key (available upon request).

What We Ask You NOT to Do

  • Access, modify, or delete data belonging to other users
  • Perform denial of service attacks
  • Send spam or phishing messages
  • Social engineer our staff or users
  • Publicly disclose before we've had time to fix the issue

Safe Harbor

We consider security research conducted in accordance with this policy to be:

  • Authorized: We will not pursue legal action against researchers acting in good faith
  • Helpful: We value your contribution to our security
  • Exempt from ECTA violations: Within the scope defined above

If legal action is initiated by a third party against you for research conducted under this policy, we will make known our authorization.

Recognition

We believe in recognizing security researchers who help us improve. With your permission, we will:

  • Acknowledge you in our security hall of fame (if you wish)
  • Provide a letter of appreciation upon request
  • Consider monetary rewards for critical vulnerabilities (at our discretion)

Note: We do not currently operate a formal bug bounty program with guaranteed payments.

Security Contact

For security matters, contact:

Security Team
skillSYMS (Pty) Ltd
security@skillsyms.com

For general inquiries (non-security), please use info@skillsyms.com.

Response time for security reports: We aim to acknowledge within 24 hours and provide an initial assessment within 72 hours.