Co:Create Bug Bounty Program
We take security issues very seriously and appreciate your responsible approach to disclosing these vulnerabilities privately to us at firstname.lastname@example.org
We would like to kindly inform you that our company has a bug bounty program specifically designed for white hat hackers who responsibly disclose vulnerabilities like the ones you have found. If eligible for a reward, we have a $100 minimum bounty for every bug that we determine has a valid impact on our system's security.
The scope of the bug bounty would be our API Platform:
We do not own coda.io. Please do not submit reports for vulnerabilities.
Please review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.
In order to be eligible for a bounty, you must meet the following requirements:
You must be the first reporter of the vulnerability and report it at email@example.com Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue No vulnerability disclosure is allowed without express consent from Co:Create. This rule applies to any vulnerability details as well as information obtained during exploitation even for resolved issues We may request up to 60 days of additional time after the disclosure request or report resolution to remediate the issue. This time is usually required to distribute the fixed version among our customers Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. Vulnerability must have a clearly identified security impact and be presented with enough information for investigation and reproduction by the Co:Create team
Any vulnerabilities reported with the following criteria are not eligible for a bounty:
Affecting an ineligible scope Bugs caused by a third-party platform or website that our application is using Only affecting outdated browsers/platforms Only affecting the executing user (self-XSS and similar) Caused by misbehaving third-party software/website Applicable only through social engineering Pretense being you already have access to an affected account (or user's browser) Vulnerabilities considered by Co:Create to be of low severity
Co:Create will determine at its own discretion whether a reward should be granted and the amount of the reward. Depending on their impact, not all reported issues qualify for a monetary reward. However, all reports are reviewed on a case-by-case basis.