Coviu's Security Bug Bounty Program
Important Notice: Changes to Our Responsible Disclosure Program
We regret to inform you that our paid responsible disclosure program will be ceasing to accept new submissions as of Thursday 15th June 2023 (07:00 AM PDT).
We appreciate the invaluable contributions from security researchers and the community throughout the duration of the program.
For those with currently open submissions that are awaiting resolution, your submissions will still be reviewed and processed according to the terms of our program that remain listed below, and remain eligible for paid bounties. Our security team will diligently investigate the issues reported, and we remain committed to addressing any valid vulnerabilities that have been identified.
While our paid program may be ending, we want to emphasize that we still value the security of our systems and the safety of our users. If you wish to report security vulnerabilities or concerns, you can continue to reach out to us bugbounty@coviu.com. We appreciate your ongoing dedication to keeping our systems secure, and we thank you for your understanding regarding the changes to our responsible disclosure program.
Please note that any reports received after the indicated program closure date may not be eligible for compensation or official acknowledgment.
Program Rules
Please read our entire policy before you start! This will help save you time and reduce the chances of submitting a finding that's not in the scope.
-
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be considered .
-
When duplicates occur, we only consider the first report that was received (provided that it can be fully reproduced).
-
We want you to search for bugs, not user data. If you encounter user information during your testing stop immediately and notify us using security@coviu.com. Further guidance will be provided along with an appropriate recognition for your finding.
-
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
-
Multiple vulnerabilities caused by one underlying issue will be considered as one.
-
Social engineering (e.g. phishing) is prohibited and company will take legal action.
-
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
-
Please follow AWS Penetration Testing Policy https://aws.amazon.com/security/penetration-testing
-
Be respectful when interacting with our team, and our team will do the same.
-
Do not perform testing that involves enumerating and/or Brute Forcing Login.
-
Do not engage in conversation in social media, document the finding or disclose the vulnerability without our consent and review.
-
Do not harm or defraud Coviu systems or our users during your investigation.
In Scope vulnerabilities
-
Stored/Reflected Cross-site Scripting (XSS)
-
Server-Side Request Forgery (SSRF)
-
Authentication or authorization flaws
-
Server-side Remote Code Execution (RCE)
-
Access Control Vulnerabilities (IDOR, etc)
-
XML External Entity Attacks (XXE)
-
Significant security misconfigurations on Platform
-
SQL Injection (SQLi)
Note: Security issues with significant impact to users will be considered, even if they do not fit the scope categories.
Out of scope vulnerabilities
The following issues are considered out of scope and will not be eligible:
-
Scanner output or scanner-generated reports, i.e report from automated active scanning tool.
-
Fingerprinting / banner disclosure on common/public services/configuration.
-
Clickjacking on pages with no sensitive actions.
-
Content spoofing without embedding an external link or JavaScript.
-
Any vulnerabilities found on subdomains or properties not explicitly listed in scope.
-
Any activity that could lead to the disruption of our service (DDoS) or Rate-limiting issues.
-
CSRF configuration issue without exploitable proof of concept.
-
Missing best practices in SSL/TLS configuration. (Lack of HSTS, additional security headers, etc.)
-
Presence of autocomplete functionality in form fields.
-
Lack of Http Only or Secure cookie flags in non sensitive cookies.
-
Reports of vulnerabilities on third party software (HubSpot).
-
Missing security headers which do not lead directly to a security vulnerability.
-
Flaws affecting the users of out-of-date browsers or plugins.
-
Email bombing and flooding.
-
Enumeration or information disclosure of non-sensitive information.
Testing Scope
We encourage to scope your testing on the below domain ONLY.
Please do not conduct any testing or scanning outside the specified domain or subdomain mentioned below.
In Scope: Coviu Staging
Register Here: https://covi-stage.io/checkout/au/trial
Vulnerability Submission Policy
When submitting a vulnerability please include:
-
A description of the vulnerability and the environment in which it was discovered.
-
Details on application under test and/or service that is affected.
-
Detailed steps that can reproduce the issue.
-
An image attachment (optional). Do not attach any executable files to your email.
-
Please mail us at bugbounty@coviu.com
Triage Process
After email all submissions to bugbounty@coviu.com. Please allow time for triage and the vulnerability to be fixed before discussing any findings publicly.
After receiving a submission, Coviu will make a best effort to provide a timely first response. We’ll try to keep you informed about our progress throughout the process.
Rewards and Recognitions
To recognise the important work that security researchers provide, Coviu offers monetary rewards of up to $2000 AUD (minimum reward $50), with the final value of the reward determined based on the severity of the reported vulnerability and product category.
Final Notes
The Coviu team would like to thank all security reachers for help to keep our customers safe and secure. We applaud your hard work, dedication, and commitment to supporting the Coviu bug bounty program. We will make the final decision on bug eligibility and value.
This program exists entirely at our discretion and may be modified or canceled at any time. Any changes we make to these program terms do not apply retroactively.
Thanks all security reachers for their help to keep Coviu safe and secure.