Skip to main content

Incident response and contact

This article explains how institutions and users report security incidents, suspected data issues, or vulnerabilities related to SpeechGradebook. It applies to IT security contacts, privacy officers, and department admins.

This is an operational overview, not legal advice. Your institution may have additional breach-notification obligations under FERPA, state law, or contract.

When to contact ValidBound

SituationExamplesUrgency
Suspected unauthorized accessUnknown account activity, evaluation data visible to the wrong instructorHigh
Suspected data exposureShared link exposes student media, misconfigured roster exportHigh
Service security concernAuthentication bypass, API behavior that may leak recordsHigh
Vulnerability reportCross-site scripting, injection, broken access control in the productHigh (good-faith disclosure welcome)
Availability incidentPlatform outage affecting grading during an active termMedium
General security questionnaireVendor review, procurement, annual attestationNormal

If student education records may be involved, mark the report security or incident in the subject or description so it is prioritized.

How to report

Primary channel — institution and security contacts

Use the ValidBound contact form and select or note Security / incident.

Include:

  • Your name, role, and institution
  • Whether the issue involves student education records
  • Date and time observed (with timezone)
  • Affected users, courses, or evaluation IDs if known
  • Steps to reproduce (for product defects)
  • Whether the issue is ongoing

In-app — product errors and support

Instructors and admins can use SettingsGeneralError Reports for application failures. For security-sensitive issues, also email or submit via the contact form so the report reaches ValidBound operations directly.

See Report an error.

What not to use for incidents

  • Public issue trackers or social media (may delay containment)
  • Student consent forms or course rosters as the only attachment (describe impact instead; share details through agreed secure channels if requested)

ValidBound response process

ValidBound follows a structured process for confirmed or suspected security incidents:

flowchart LR
Report[Report received]
Triage[Triage and severity]
Contain[Containment]
Investigate[Investigation]
Notify[Institution notification]
Remediate[Remediation]
Review[Post-incident review]

Report --> Triage
Triage --> Contain
Contain --> Investigate
Investigate --> Notify
Notify --> Remediate
Remediate --> Review
PhaseValidBound actions
1. AcknowledgmentConfirm receipt and assign an owner
2. TriageClassify severity; determine if student records are implicated
3. ContainmentLimit ongoing exposure (access revocation, feature disable, credential rotation as needed)
4. InvestigationReview audit logs, application logs, and subprocessor status
5. Institution notificationNotify designated institution contacts when confirmed impact affects their data
6. RemediationDeploy fixes, restore service, document root cause
7. Post-incident reviewSummary for affected institutions; internal corrective actions

Exact timelines depend on severity and whether third-party subprocessors are involved. See Subprocessors and data locations.

Expected response times

These are targets for the hosted product, not guaranteed SLAs unless your institution contract states otherwise:

SeverityInitial acknowledgmentUpdate cadence
Critical — active exposure of student records or authentication compromiseWithin 1 business dayDaily until contained
High — confirmed vulnerability or limited data impactWithin 2 business daysEvery 2–3 business days during investigation
Medium / low — general security questions, questionnairesWithin 5 business daysAs needed

Critical reports received outside business hours are reviewed on the next business day unless on-call coverage is defined in your agreement.

Institution notification

When an incident is confirmed to affect an institution's student education records, ValidBound will:

  1. Notify the contacts on file for your institution or the reporter who identified the issue
  2. Describe what occurred, what data categories were involved, and containment steps taken
  3. Provide guidance aligned with your institution's FERPA and breach-notification process
  4. Share remediation status and recommended actions (password reset, access review, etc.)

Your institution remains responsible for notifications to students and regulators as required by law and policy. ValidBound supports that process with factual incident summaries and log extracts where appropriate.

Vulnerability disclosure

ValidBound welcomes good-faith security research on the hosted product.

  • Report findings through the contact form with Security / vulnerability noted
  • Allow reasonable time to investigate and remediate before public disclosure
  • Do not access data belonging to other institutions or users during testing
  • Do not perform denial-of-service testing against production without written approval

ValidBound does not operate a public bug-bounty program at this time.

Information ValidBound may request

To investigate efficiently, you may be asked for:

  • User IDs or email addresses (not student passwords)
  • Course or evaluation identifiers
  • Screenshots or HAR exports with sensitive tokens redacted
  • Institution security contact for coordinated response
  • Whether legal or privacy counsel is already engaged

Contact summary

NeedAction
Security incident or vulnerabilityValidBound contact — Security / incident
Product error (non-security)Report an error or contact form
Procurement / DPA / questionnaireValidBound contact
General privacy questionsPrivacy policy