Hanlexon (operated by Hanlexon LLC) takes the security of our students, teachers, and institutions seriously. We welcome reports of security vulnerabilities from the research community and from anyone who finds an issue while using our service.
How to report a vulnerability
Email admin@hanlexon.com with:
- A clear description of the vulnerability and its potential impact
- Steps to reproduce, including any required configuration or test data
- Any relevant logs, screenshots, or proof-of-concept code
- Your name (or pseudonym) for optional public credit, plus a contact for follow-up
We aim to acknowledge receipt within 5 business days, provide a substantive response within 14 business days, and remediate or disclose the issue within 90 days. Critical vulnerabilities are prioritized and may be addressed faster.
Safe-harbor commitment
We will not pursue legal action, complaint to your employer, or other adverse action against security researchers who:
- Test in good faith and within the scope of this policy
- Avoid harm to our users (including not modifying or accessing data beyond what is necessary to demonstrate the vulnerability)
- Avoid actions that would degrade service availability (denial-of-service, sustained automated probing, etc.)
- Provide us a reasonable opportunity to remediate before public disclosure
- Comply with all applicable law in their jurisdiction
This policy authorizes good-faith security testing of all Hanlexon-operated production systems, including www.hanlexon.com and the V2 API surface (/api/v2/*).
Out of scope
- Denial-of-service or volumetric attacks against any Hanlexon system
- Social engineering of Hanlexon staff, contractors, vendors, or users
- Physical attacks against Hanlexon infrastructure or personnel
- Issues in third-party services we use (report those to the relevant vendor; sub-processors listed at /v2/schools/privacy)
- Vulnerabilities requiring a victim to install malicious software, click attacker-controlled links from outside Hanlexon, or otherwise be socially engineered
- Reports of out-of-date software libraries without a working proof-of-concept
- Self-XSS that requires copying attacker code into the browser console
- Missing security headers without a demonstrated impact
Our security commitments
Hanlexon commits to:
- Encrypt all customer data in transit (TLS 1.2+) and at rest (cloud-provider managed keys)
- Apply security patches to underlying dependencies in a timely manner
- Maintain access controls based on the principle of least privilege
- Log access to sensitive operations and review logs for anomalous activity
- Notify affected users within 30 days of any confirmed unauthorized disclosure of personal information that materially affects them (per our Privacy Policy)
- Maintain a documented incident response process
- Make multi-factor authentication available for administrative accounts at no additional cost
Our framework alignment is documented at /v2/schools/privacy, including FERPA, COPPA, SOPPA, UK GDPR, and the Australian Privacy Principles.
Acknowledgments
With researcher consent, we may publicly acknowledge contributors here once an issue is resolved.
Contact
Security reports: admin@hanlexon.com
General privacy/data inquiries: admin@hanlexon.com
Machine-readable contact: /.well-known/security.txt