Incident response and contact
This article explains how institutions and users report security incidents, suspected data issues, or vulnerabilities related to SpeechGradebook. It applies to IT security contacts, privacy officers, and department admins.
This is an operational overview, not legal advice. Your institution may have additional breach-notification obligations under FERPA, state law, or contract.
When to contact ValidBound
| Situation | Examples | Urgency |
|---|---|---|
| Suspected unauthorized access | Unknown account activity, evaluation data visible to the wrong instructor | High |
| Suspected data exposure | Shared link exposes student media, misconfigured roster export | High |
| Service security concern | Authentication bypass, API behavior that may leak records | High |
| Vulnerability report | Cross-site scripting, injection, broken access control in the product | High (good-faith disclosure welcome) |
| Availability incident | Platform outage affecting grading during an active term | Medium |
| General security questionnaire | Vendor review, procurement, annual attestation | Normal |
If student education records may be involved, mark the report security or incident in the subject or description so it is prioritized.
How to report
Primary channel — institution and security contacts
Use the ValidBound contact form and select or note Security / incident.
Include:
- Your name, role, and institution
- Whether the issue involves student education records
- Date and time observed (with timezone)
- Affected users, courses, or evaluation IDs if known
- Steps to reproduce (for product defects)
- Whether the issue is ongoing
In-app — product errors and support
Instructors and admins can use Settings → General → Error Reports for application failures. For security-sensitive issues, also email or submit via the contact form so the report reaches ValidBound operations directly.
See Report an error.
What not to use for incidents
- Public issue trackers or social media (may delay containment)
- Student consent forms or course rosters as the only attachment (describe impact instead; share details through agreed secure channels if requested)
ValidBound response process
ValidBound follows a structured process for confirmed or suspected security incidents:
flowchart LR
Report[Report received]
Triage[Triage and severity]
Contain[Containment]
Investigate[Investigation]
Notify[Institution notification]
Remediate[Remediation]
Review[Post-incident review]
Report --> Triage
Triage --> Contain
Contain --> Investigate
Investigate --> Notify
Notify --> Remediate
Remediate --> Review
| Phase | ValidBound actions |
|---|---|
| 1. Acknowledgment | Confirm receipt and assign an owner |
| 2. Triage | Classify severity; determine if student records are implicated |
| 3. Containment | Limit ongoing exposure (access revocation, feature disable, credential rotation as needed) |
| 4. Investigation | Review audit logs, application logs, and subprocessor status |
| 5. Institution notification | Notify designated institution contacts when confirmed impact affects their data |
| 6. Remediation | Deploy fixes, restore service, document root cause |
| 7. Post-incident review | Summary for affected institutions; internal corrective actions |
Exact timelines depend on severity and whether third-party subprocessors are involved. See Subprocessors and data locations.
Expected response times
These are targets for the hosted product, not guaranteed SLAs unless your institution contract states otherwise:
| Severity | Initial acknowledgment | Update cadence |
|---|---|---|
| Critical — active exposure of student records or authentication compromise | Within 1 business day | Daily until contained |
| High — confirmed vulnerability or limited data impact | Within 2 business days | Every 2–3 business days during investigation |
| Medium / low — general security questions, questionnaires | Within 5 business days | As needed |
Critical reports received outside business hours are reviewed on the next business day unless on-call coverage is defined in your agreement.
Institution notification
When an incident is confirmed to affect an institution's student education records, ValidBound will:
- Notify the contacts on file for your institution or the reporter who identified the issue
- Describe what occurred, what data categories were involved, and containment steps taken
- Provide guidance aligned with your institution's FERPA and breach-notification process
- Share remediation status and recommended actions (password reset, access review, etc.)
Your institution remains responsible for notifications to students and regulators as required by law and policy. ValidBound supports that process with factual incident summaries and log extracts where appropriate.
Vulnerability disclosure
ValidBound welcomes good-faith security research on the hosted product.
- Report findings through the contact form with Security / vulnerability noted
- Allow reasonable time to investigate and remediate before public disclosure
- Do not access data belonging to other institutions or users during testing
- Do not perform denial-of-service testing against production without written approval
ValidBound does not operate a public bug-bounty program at this time.
Information ValidBound may request
To investigate efficiently, you may be asked for:
- User IDs or email addresses (not student passwords)
- Course or evaluation identifiers
- Screenshots or HAR exports with sensitive tokens redacted
- Institution security contact for coordinated response
- Whether legal or privacy counsel is already engaged
Related controls
- Security overview — authentication, RLS, encryption, audit logging
- FERPA and student records — education record handling
- Data handling and retention — storage and retention
- For IT reviewers — full review path
Contact summary
| Need | Action |
|---|---|
| Security incident or vulnerability | ValidBound contact — Security / incident |
| Product error (non-security) | Report an error or contact form |
| Procurement / DPA / questionnaire | ValidBound contact |
| General privacy questions | Privacy policy |