Skip to security policy

Security

Effective: May 31, 2026

Previous versions of this document are available upon request.

Report a Vulnerability

Blueprint welcomes good-faith security reports that help protect students, families, counselors, and schools.

Email security reports to security@applywithblueprint.com. Please include a clear description, affected URLs, steps to reproduce, and any screenshots or logs that help us verify the issue without accessing data that is not yours.

We aim to acknowledge receipt within 72 hours and provide a more detailed response within 7 business days when the report is in scope and reproducible.

In Scope

  • Vulnerabilities that could expose student, parent, counselor, or school data
  • Authentication, authorization, or session-management issues
  • Cross-site scripting, injection, or request-forgery issues on Blueprint-owned domains
  • Security misconfigurations affecting applywithblueprint.com

Out of Scope

  • Denial-of-service testing, automated high-volume scanning, or load testing
  • Social engineering, phishing, or physical attacks
  • Accessing, modifying, deleting, or exfiltrating data that is not your own
  • Public disclosure before Blueprint has had a reasonable time to investigate and remediate

Safe Harbor

We will not pursue legal action against researchers who make a good-faith effort to follow this policy, avoid privacy violations, avoid service disruption, test only with accounts they own or have permission to use, and report vulnerabilities promptly.

This policy does not authorize destructive testing, denial-of-service activity, social engineering, data exfiltration, or access to another person's account or data.

Security.txt

Blueprint also publishes a standard security contact file for automated scanners and security researchers.

View the current security contact file at /.well-known/security.txt. To report a vulnerability or ask security questions, contact us at security@applywithblueprint.com.

Bug Bounty Program

Blueprint does not currently operate a paid bug bounty program. Reports are reviewed for responsible disclosure and remediation, but compensation is not offered unless agreed in writing before testing.