Skip to main content

Security-Policy

Security Vulnerability Disclosure Policy

Overview

West Valley School District No. 208 (“the District”) is committed to protecting the confidentiality, integrity, and availability of its information systems, with particular emphasis on safeguarding student education records and personal information.

Because the District serves minors and operates systems subject to FERPA, Washington State law, and third‑party service agreements, vulnerability research must be conducted in a strictly non‑intrusive and non‑disruptive manner. This policy establishes how potential security issues may be reported without authorizing testing that could violate legal, contractual, or privacy obligations.

Legal and Contractual Considerations

District technology services include systems that are hosted or managed by third‑party providers under contractual agreements and terms of service. Unauthorized testing of these platforms may violate:

  • FERPA (20 U.S.C. § 1232g)
  • Washington State public‑sector requirements
  • Vendor terms of service and acceptable use policies

This policy does not grant authorization to test systems owned or hosted by third parties, even if they are branded with District names or domains.

How to Report a Security Concern

If you believe you have identified a potential security concern, configuration issue, or vulnerability affecting District‑managed systems, report it using one of the following channels:

  • Email: ITSecurity@wvsd208.org
  • Encrypted Email (Preferred for sensitive details): wvsd208@proton.me

Please:

  • Use encryption for sensitive technical details
  • Do not actively test or exploit the issue
  • Do not access student, staff, or instructional data
  • Describe the issue conceptually rather than experimentally

Scope

✅ In Scope (Limited)

The following are conditionally in scope for reporting only, not for active testing:

  • District‑owned infrastructure directly managed by the District IT department
  • Configuration, design, or implementation concerns observed without active exploitation
  • Publicly observable misconfigurations that do not require interaction, probing, or testing

Reporting does not imply authorization to test.

❌ Out of Scope (Strict Prohibition)

To protect students and comply with FERPA, state law, and contractual obligations, the following are explicitly out of scope:

  • All hosted or third‑party platforms, including:
    • District and school websites hosted by external providers
    • Content management systems (CMS) operated by vendors
    • Learning platforms, portals, or parent/student interfaces
  • Student Information Systems (SIS)
  • Learning Management Systems (LMS)
  • Systems containing education records, grades, attendance, health, or special education data
  • Email, identity, or authentication systems
  • Cloud productivity platforms used by students or staff
  • End‑user devices
  • Physical security systems
  • Any system governed by third‑party terms of service

No active security testing is authorized against these systems under this policy.

Prohibited Activities

The following activities are strictly prohibited:

  • Active vulnerability scanning or probing
  • Penetration testing of any kind
  • Exploitation attempts
  • Authentication bypass testing
  • Automated testing, fuzzing, or brute‑force techniques
  • Denial‑of‑Service activities
  • Social engineering or phishing
  • Interaction with real student or staff data
  • Any activity that could disrupt instructional services or operations

Responsible Disclosure Expectations

The District welcomes good‑faith reporting of concerns, not active testing.

Researchers are expected to:

  • Avoid interacting with production systems
  • Avoid collecting or storing District data
  • Refrain from public disclosure
  • Allow the District to investigate and coordinate with vendors as needed

Safe Harbor (Limited)

The District will not pursue legal action against individuals who:

  • Report potential security concerns in good faith
  • Do not engage in active testing or exploitation
  • Avoid access to student or staff data
  • Follow this policy and applicable laws

This safe harbor does not apply to activities that:

  • Violate FERPA
  • Violate vendor agreements or terms of service
  • Involve active testing, scanning, or exploitation

Response and Remediation

  • Reports will be reviewed and assessed by the District
  • Issues involving hosted systems may be referred to the appropriate vendor
  • The District does not offer bug bounties or rewards
  • Response timelines may vary based on severity and system ownership

Disclosure Restrictions

Public disclosure of security concerns involving District systems is not permitted without prior written authorization.

Unauthorized disclosure may result in harm to students, staff, or operations.

Questions

If you are unsure whether an observation falls within this policy, do not proceed with testing. Contact the District using the information above for guidance.