CoachAccountable Bug Bounty Program

Think you've found a vulnerability?

Your insight and discoveries are good for our deep appreciation and a cash reward.

Rewards

Rewards are based the following tiers of severity:

Low$100 - $249E.g. functionality-disrupting 
Medium$250 - $999E.g. escalated privileges leading to disallowed access within an account
High$1000 - $4,999E.g. escalated privileges leading to access outside one's account
Critical$5000 - $10,000E.g. RCE, arbitrary SQL injection payloads

We'll provide rewards to reporters who submit original, in-scope vulnerabilities.  Each report is assessed based on criticality, impact and risk to our customers and our company.

Our minimum reward is $100. We may choose to grant bonuses or larger rewards to critical vulnerabilities, more creative exploits, and more insightful reports

One reward per bug; first discovery claims it; ties break toward the best report.



What's in scope?

Generally speaking, the whole of the CoachAccountable app including its hosting environment.  Any means of gaining actual access to app data you ought not be able to.




What's out of scope?

  • The CoachAccountable blog as hosted at https://blog.coachaccountable.com
  • Untrusted users within the same account gaining disallowed access of other same-account users WITH their involvement, e.g. by uploading malware, embedding phishing URLs in comments, RTLO based attacks in URLs, IDN homograph attacks, etc.



Non-meaningful reports that are also out of scope

This is a long list.  It reflects common "vulnerability" reports that either depend on the unsafe/insecure behaviors of other users (which we cannot control) or are merely ostensible "best practices", the violation of which cannot actually be meaningfully exploited.

  • Password not required to update the existing password or email address, or enable 2FA
  • Email spoofing, including SPF/DKIM/DMARC policies
  • Hyperlink injection on emails
  • Rate limiting
  • Best practices concerns (we require evidence of a security vulnerability)
  • Sessions not being invalidated when 2FA is enabled
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
  • Race conditions that don't compromise the security of any user or CoachAccountable
  • Reports about theoretical damage without a real risk
  • The output of automated scanners without explanation
  • CSRF with no security implications (like login/logout/unauthenticated CSRF)
  • Broken links
  • Missing cookie flags on non-security sensitive cookies
  • Attacks requiring physical or console access to a user's device
  • Missing security headers not related to a security vulnerability
  • Reports of insecure SSL/TLS ciphers unless you have a working proof of concept
  • Banner grabbing issues to figure out the stack we use or software version disclosure
  • Open ports without a vulnerability
  • Password and account recovery policies, such as reset link expiration or password complexity
  • Disclosure of known public files or directories, (e.g. robots.txt)
  • Reports of spam
  • Username/email address enumeration
  • Presence of autocomplete attribute on web forms
  • DNSSEC and DANE
  • HSTS or CSP headers
  • Host header injection unless you can show how a third-party can exploit it
  • Reflected File Download (RFD)
  • EXIF information not stripped from uploaded images
  • DoS targeting other users on the same account, e.g. using malformed inputs or crafted file uploads
  • DoS vulnerabilities based on submitting a large payload in an input field and triggering a 500 error
  • DoS vulnerabilities based on password length
  • DoS vulnerabilities based on lack of pagination or lots of user content slowing response times
  • Using product features like invitation/signup/forgot-password to deliver messages to any email address
  • Unrestricted file upload without a clear attack scenario or PoC



Disqualifiers

In your efforts as an ethical hacker to find and report vulnerabilities for the bug bounty program, the following are off limits:

  • Attempting access to other customers' accounts or accessing other customers' accounts and data unless it's completely unintentional and accidental.
  • Denial of service: disrupting other customers' access to their own accounts.
  • Social engineering of any kind against other customers or CoachAccountable staff, including spearphishing attempts or contacting our support team.
  • Overwhelming our support team with messages. Don't fuzz Contact Support forms.
  • Physical intrusion.
  • Automated scanning, mail bombing, spam, brute-forcing or automated attacks with programs like Burp Intruder.
  • Leaking, manipulating, or destroying any user data.




Guidelines

  • All reports should include a detailed step-by-step explanation of how to replicate the issue and an attack scenario to demonstrate the risk.
  • Practice responsible disclosure. That's a responsibility to users, not us. We will live up to the other end of this by resolving bugs in a timely manner.
  • If you sign up for a CoachAccountable account for vulnerability testing, please include "bugBounty" somewhere in your email address. (For example, you could use Gmail’s task-specific email addresses feature.) This helps us filter your account out of business metrics such as conversion rate.
  • If you include any secrets or confidential information in your report, partially mask it, as far as possible, so you can still convey the severity of your findings without accidentally leaking information.
  • Submit your reports to security@coachaccountable.com.



Questions?

This works because we work together. Contact us with any questions:
security@coachaccountable.com







Sound reliable?
It is.

Loading...