Coviu's Security Bug Bounty Program

    Important Notice: Changes to Our Responsible Disclosure Program

    We regret to inform you that our paid responsible disclosure program will be ceasing to accept new submissions as of Thursday 15th June 2023 (07:00 AM PDT).

    We appreciate the invaluable contributions from security researchers and the community throughout the duration of the program.

    For those with currently open submissions that are awaiting resolution, your submissions will still be reviewed and processed according to the terms of our program that remain listed below, and remain eligible for paid bounties. Our security team will diligently investigate the issues reported, and we remain committed to addressing any valid vulnerabilities that have been identified.

    While our paid program may be ending, we want to emphasize that we still value the security of our systems and the safety of our users. If you wish to report security vulnerabilities or concerns, you can continue to reach out to us bugbounty@coviu.com. We appreciate your ongoing dedication to keeping our systems secure, and we thank you for your understanding regarding the changes to our responsible disclosure program.

    Please note that any reports received after the indicated program closure date may not be eligible for compensation or official acknowledgment. 

    Program Rules

    Please read our entire policy before you start! This will help save you time and reduce the chances of submitting a finding that's not in the scope.

    • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be considered .

    • When duplicates occur, we only consider the first report that was received (provided that it can be fully reproduced).

    • We want you to search for bugs, not user data. If you encounter user information during your testing stop immediately and notify us using security@coviu.com. Further guidance will be provided along with an appropriate recognition for your finding.

    • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

    • Multiple vulnerabilities caused by one underlying issue will be considered as one.

    • Social engineering (e.g. phishing) is prohibited and company will take legal action.

    • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.

    • Please follow AWS Penetration Testing Policy https://aws.amazon.com/security/penetration-testing

    • Be respectful when interacting with our team, and our team will do the same.

    • Do not perform testing that involves enumerating and/or Brute Forcing Login.

    • Do not engage in conversation in social media, document the finding or disclose the vulnerability without our consent and review.

    • Do not harm or defraud Coviu systems or our users during your investigation.

     

    In Scope vulnerabilities

    • Stored/Reflected Cross-site Scripting (XSS)

    • Server-Side Request Forgery (SSRF)

    • Authentication or authorization flaws

    • Server-side Remote Code Execution (RCE)

    • Access Control Vulnerabilities (IDOR, etc)

    • XML External Entity Attacks (XXE)

    • Significant security misconfigurations on Platform

    • SQL Injection (SQLi)

    • OWASP Top 10 vulnerabilities

    • CWE-SANS Top 25 Dangerous Bugs

    Note: Security issues with significant impact to users will be considered, even if they do not fit the scope categories.

     

     

    Out of scope vulnerabilities

    The following issues are considered out of scope and will not be eligible:

    • Scanner output or scanner-generated reports, i.e report from automated active scanning tool.

    • Fingerprinting / banner disclosure on common/public services/configuration.

    • Clickjacking on pages with no sensitive actions.

    • Content spoofing without embedding an external link or JavaScript.

    • Any vulnerabilities found on subdomains or properties not explicitly listed in scope.

    • Any activity that could lead to the disruption of our service (DDoS) or Rate-limiting issues.

    • CSRF configuration issue without exploitable proof of concept.

    • Missing best practices in SSL/TLS configuration. (Lack of HSTS, additional security headers, etc.)

    • Presence of autocomplete functionality in form fields.

    • Lack of Http Only or Secure cookie flags in non sensitive cookies.

    • Reports of vulnerabilities on third party software (HubSpot).

    • Missing security headers which do not lead directly to a security vulnerability.

    • Flaws affecting the users of out-of-date browsers or plugins.

    • Email bombing and flooding.

    • Enumeration or information disclosure of non-sensitive information.

    implementation icon

     

    Testing Scope

    We encourage to scope your testing on the below domain ONLY.

    Please do not conduct any testing or scanning outside the specified domain or subdomain mentioned below.

    In Scope: Coviu Staging

    Register Here:  https://covi-stage.io/checkout/au/trial


     

    Vulnerability Submission Policy

    When submitting a vulnerability please include:

    • A description of the vulnerability and the environment in which it was discovered.

    • Details on application under test and/or service that is affected.

    • Detailed steps that can reproduce the issue.

    • An image attachment (optional). Do not attach any executable files to your email.

    • Please mail us at bugbounty@coviu.com

    Triage Process

    After email all submissions to bugbounty@coviu.com. Please allow time for triage and the vulnerability to be fixed before discussing any findings publicly.

    After receiving a submission, Coviu will make a best effort to provide a timely first response. We’ll try to keep you informed about our progress throughout the process.

     

    Rewards and Recognitions

    To recognise the important work that security researchers provide, Coviu offers monetary rewards of up to $2000 AUD (minimum reward $50), with the final value of the reward determined based on the severity of the reported vulnerability and product category.

     
    In order to be eligible for the reward you must have complied with the terms and rules outlined in this document.

     

    undraw_winners_ao2o
     

    Final Notes

    The Coviu team would like to thank all security reachers for help to keep our customers safe and secure. We applaud your hard work, dedication, and commitment to supporting the Coviu bug bounty program. We will make the final decision on bug eligibility and value.

     

    This program exists entirely at our discretion and may be modified or canceled at any time. Any changes we make to these program terms do not apply retroactively.

    Thanks all security reachers for their help to keep Coviu safe and secure.