CoachAccountable Bug Bounty Program

Rewards

Rewards are based the following tiers of severity:

Low	$100 - $249	E.g. functionality-disrupting
Medium	$250 - $999	E.g. escalated privileges leading to disallowed access within an account
High	$1000 - $4,999	E.g. escalated privileges leading to access outside one's account
Critical	$5000 - $10,000	E.g. RCE, arbitrary SQL injection payloads

We'll provide rewards to reporters who submit original, in-scope vulnerabilities.  Each report is assessed based on criticality, impact and risk to our customers and our company.

Our minimum reward is $100. We may choose to grant bonuses or larger rewards to critical vulnerabilities, more creative exploits, and more insightful reports.

One reward per bug; first discovery claims it; ties break toward the best report.

Rewards will be paid via PayPal.

What's in scope?

Generally speaking, the whole of the CoachAccountable app including its hosting environment.  Any means of gaining actual access to app data you ought not be able to.

• The CoachAccountable app itself as located at https://www.coachaccountable.com
• The CoachAccountable API as described at https://www.coachaccountable.com/APIDocs
• Your own CoachAccountable accounts only
• Untrusted users within the same account gaining disallowed access of other same-account users WITHOUT their involvement

What's out of scope?

Everything that's not in scope. This includes but is not limited to:

• Anything to do with any WordPress installations.
• Untrusted users within the same account gaining disallowed access of other same-account users WITH their involvement, e.g. by uploading malware, embedding phishing URLs in comments, RTLO based attacks in URLs, IDN homograph attacks, etc.

Non-meaningful reports that are also out of scope

This is a long list.  It reflects common "vulnerability" reports that either depend on the unsafe/insecure behaviors of other users (which we cannot control) or are merely ostensible "best practices", the violation of which cannot actually be meaningfully exploited.

• Best practices concerns (we require evidence of a security vulnerability)
• Reports about theoretical damage without a real risk
• Benign or self-only-affecting circumvention of UI constraints (we require evidence of a security vulnerability)
• Origin IP address disclosure
• Password not required to update the existing password or email address, or enable 2FA
• Email spoofing, including SPF/DKIM/DMARC policies
• Hyperlink injection
• Rate limiting
• Clickjacking
• Username/email address enumeration
• Best practices concerns (we require evidence of a security vulnerability)
• The fact that the same email is allowed for signing up to multiple accounts
• Sessions not being invalidated when 2FA is enabled
• Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
• Race conditions that don't compromise the security of any user or CoachAccountable
• The output of automated scanners without explanation
• CSRF with no security implications (like login/logout/unauthenticated CSRF)
• XSS that doesn't persist on reload (i.e. not saved server-side)
• Trivial XSS that can't actually access private data (e.g. allowed JavaScript in an uploaded PDF)
• CSV value injection into other contexts (e.g. Excel formulas)
• That public, customer-branded pages (e.g. login pages) are discoverable
• Broken links
• Missing cookie flags on non-security sensitive cookies
• Deleted assets temporarily lingering by virtue of browser and/or CDN caching
• Attacks requiring physical or console access to a user's device
• Missing security headers not related to a security vulnerability
• Reports of insecure SSL/TLS ciphers unless you have a working proof of concept
• Banner grabbing issues to figure out the stack we use or software version disclosure
• Open ports without a vulnerability
• Password and account recovery policies, such as reset link expiration or password complexity
• Disclosure of known public files or directories, (e.g. robots.txt)
• Reports of spam
• Presence of autocomplete attribute on web forms
• Best practices concerns (we require evidence of a security vulnerability)
• DNSSEC and DANE
• HSTS or CSP headers
• Host header injection unless you can show how a third-party can exploit it
• Reflected File Download (RFD)
• EXIF information not stripped from uploaded images
• Assets at unguessable URLs being accessible when not logged in
• Not requiring further authorization for logged-in user functions (e.g. password reset, account cancelling)
• DoS targeting other users on the same account, e.g. using malformed inputs or crafted file uploads
• DoS vulnerabilities based on submitting a large payload in an input field and triggering a 500 error
• DoS vulnerabilities based on password length
• DoS vulnerabilities based on lack of pagination or lots of user content slowing response times
• Using product features like invitation/signup/forgot-password to deliver messages to any email address
• Unrestricted file upload without a clear attack scenario or PoC
• Compromised credentials that were not obtained/leaked from CoachAccountable itself
• Best practices concerns (seriously, we require evidence of a security vulnerability)

Disqualifiers

In your efforts as an ethical hacker to find and report vulnerabilities for the bug bounty program, the following are off limits:

• Attempting access to other customers' accounts or accessing other customers' accounts and data unless it's completely unintentional and accidental.
• Denial of service: disrupting other customers' access to their own accounts.
• Social engineering of any kind against other customers or CoachAccountable staff, including spearphishing attempts or contacting our support team.
• Overwhelming our support team with messages. Don't fuzz Contact Support forms.
• Physical intrusion.
• Automated scanning, mail bombing, spam, brute-forcing or automated attacks with programs like Burp Intruder.
• Leaking, manipulating, or destroying any user data.

Guidelines

• All reports should include a detailed step-by-step explanation of how to replicate the issue and an attack scenario to demonstrate the risk.
• Practice responsible disclosure. That's a responsibility to users, not us. We will live up to the other end of this by resolving bugs in a timely manner.
• If you sign up for a CoachAccountable account for vulnerability testing, please include "bugBounty" somewhere in your email address. (For example, you could use Gmail’s task-specific email addresses feature.) This helps us filter your account out of business metrics such as conversion rate.
• If you include any secrets or confidential information in your report, partially mask it, as far as possible, so you can still convey the severity of your findings without accidentally leaking information.
• Submit your reports to security@coachaccountable.com.

Let's Not Waste Each Other's Time

After several good months of novel and relevant findings, the vast majority of reports being sent in now are out of scope, largely resembling Best Practice Concerns that cannot be meaningfully exploited.

If your report contains the words "could" or "might", it almost certainly will not earn you a bounty.

To save yourself the bother, please know that it is highly unlikely at this point that you will find a meaningful, actually exploitable with a mere surface scan of things.

This isn't amateur night, and highly skilled researchers have already thoroughly checked the vast majority of the application's surface area (as evidenced by the sort of niche findings reported and fixed to date).

If your report is rejected because it is out of scope or non-meaningful, or contains flawed logic leading to a wrong conclusion, please do not double down and attempt to make your case. Repeat offenders will be fully disqualified from the Bug Bounty Program. That may seem harsh and dismissive, here's why:

• We really want and value learning about real issues.
• Real issues are fixed ASAP and a bounty is paid out fast.
• Resolution is on average within one day, observe the "Opened" and "Closed" dates below.
• Conversely, we dismiss non-issues with extreme prejudice, simply because they do not matter.
• Because it's our reputation on the line as a secure platform, we are highly incentivized to make this ruling accurately.

Thus rulings on the severity or non-severity of a given issue are final.

Skilled researchers know when an issue is a genuine threat and calmly assert as much. Amateurs throw around words like "critical" and "high severity" in vain hopes of getting a bounty. Emperically, there is very little overlap.

So let's not waste each other's time:
Think before you report.

Questions?

This works because we work together. Contact us with any questions:
security@coachaccountable.com

Bug Bounties Awarded to Date:

It's been (and continues to be) a treat to work with security researchers making meaningful reports in the program. To:

• acknowledge their findings,
• fix the issues they reveal, and
• swiftly reward them for their efforts.

Acknowledge. Fix. Reward. That's our kind of fun here.

Here are the results to date: