CoachAccountable Bug Bounty Program
Think you've found a vulnerability?
Your insight and discoveries are good for our deep appreciation and a cash reward.
Rewards
Rewards are based the following tiers of severity:
| Low | $100 - $249 | E.g. functionality-disrupting |
| Medium | $250 - $999 | E.g. escalated privileges leading to disallowed access within an account |
| High | $1000 - $4,999 | E.g. escalated privileges leading to access outside one's account |
| Critical | $5000 - $10,000 | E.g. RCE, arbitrary SQL injection payloads |
We'll provide rewards to reporters who submit original, in-scope vulnerabilities. Each report is assessed based on criticality, impact and risk to our customers and our company.
Our minimum reward is $100. We may choose to grant bonuses or larger rewards to critical vulnerabilities, more creative exploits, and more insightful reports.
One reward per bug; first discovery claims it; ties break toward the best report.
Rewards will be paid via PayPal.
What's in scope?
Generally speaking, the whole of the CoachAccountable app including its hosting environment. Any means of gaining actual access to app data you ought not be able to.
- The CoachAccountable app itself as located at https://www.coachaccountable.com
- The CoachAccountable API as described at https://www.coachaccountable.com/APIDocs
- Your own CoachAccountable accounts only
- Untrusted users within the same account gaining disallowed access of other same-account users WITHOUT their involvement
What's out of scope?
Everything that's not in scope. This includes but is not limited to:
- The CoachAccountable blog as hosted at https://blog.coachaccountable.com
- Untrusted users within the same account gaining disallowed access of other same-account users WITH their involvement, e.g. by uploading malware, embedding phishing URLs in comments, RTLO based attacks in URLs, IDN homograph attacks, etc.
Non-meaningful reports that are also out of scope
This is a long list. It reflects common "vulnerability" reports that either depend on the unsafe/insecure behaviors of other users (which we cannot control) or are merely ostensible "best practices", the violation of which cannot actually be meaningfully exploited.
- Password not required to update the existing password or email address, or enable 2FA
- Email spoofing, including SPF/DKIM/DMARC policies
- Hyperlink injection on emails
- Rate limiting
- Best practices concerns (we require evidence of a security vulnerability)
- Benign or self-only-affecting circumvention of UI constraints (we require evidence of a security vulnerability)
- Sessions not being invalidated when 2FA is enabled
- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
- Race conditions that don't compromise the security of any user or CoachAccountable
- Reports about theoretical damage without a real risk
- The output of automated scanners without explanation
- CSRF with no security implications (like login/logout/unauthenticated CSRF)
- XSS that doesn't persist on reload (i.e. not saved server-side)
- Trivial XSS that can't actually access private data (e.g. allowed JavaScript in an uploaded PDF)
- Broken links
- Clickjacking
- Missing cookie flags on non-security sensitive cookies
- Attacks requiring physical or console access to a user's device
- Missing security headers not related to a security vulnerability
- Reports of insecure SSL/TLS ciphers unless you have a working proof of concept
- Banner grabbing issues to figure out the stack we use or software version disclosure
- Open ports without a vulnerability
- Password and account recovery policies, such as reset link expiration or password complexity
- Disclosure of known public files or directories, (e.g. robots.txt)
- Reports of spam
- Username/email address enumeration
- Presence of autocomplete attribute on web forms
- DNSSEC and DANE
- HSTS or CSP headers
- Host header injection unless you can show how a third-party can exploit it
- Reflected File Download (RFD)
- EXIF information not stripped from uploaded images
- DoS targeting other users on the same account, e.g. using malformed inputs or crafted file uploads
- DoS vulnerabilities based on submitting a large payload in an input field and triggering a 500 error
- DoS vulnerabilities based on password length
- DoS vulnerabilities based on lack of pagination or lots of user content slowing response times
- Using product features like invitation/signup/forgot-password to deliver messages to any email address
- Unrestricted file upload without a clear attack scenario or PoC
Disqualifiers
In your efforts as an ethical hacker to find and report vulnerabilities for the bug bounty program, the following are off limits:
- Attempting access to other customers' accounts or accessing other customers' accounts and data unless it's completely unintentional and accidental.
- Denial of service: disrupting other customers' access to their own accounts.
- Social engineering of any kind against other customers or CoachAccountable staff, including spearphishing attempts or contacting our support team.
- Overwhelming our support team with messages. Don't fuzz Contact Support forms.
- Physical intrusion.
- Automated scanning, mail bombing, spam, brute-forcing or automated attacks with programs like Burp Intruder.
- Leaking, manipulating, or destroying any user data.
Guidelines
- All reports should include a detailed step-by-step explanation of how to replicate the issue and an attack scenario to demonstrate the risk.
- Practice responsible disclosure. That's a responsibility to users, not us. We will live up to the other end of this by resolving bugs in a timely manner.
- If you sign up for a CoachAccountable account for vulnerability testing, please include "bugBounty" somewhere in your email address. (For example, you could use Gmail’s task-specific email addresses feature.) This helps us filter your account out of business metrics such as conversion rate.
- If you include any secrets or confidential information in your report, partially mask it, as far as possible, so you can still convey the severity of your findings without accidentally leaking information.
- Submit your reports to security@coachaccountable.com.
Questions?
This works because we work together. Contact us with any questions:
security@coachaccountable.com
Bug Bounties Awarded to Date:
It's been (and continues to be) a treat to work with security researchers participating in the program. To:
- acknowledge their findings,
- fix the issues they reveal, and
- swiftly reward them for their efforts.
Acknowledge. Fix. Reward. That's our kind of fun here.
Here are the results to date:| Opened | Closed | Amount | Issue | By |
|---|---|---|---|---|
| Oct 07 | Oct 07 | $200 | Tabnabbing in shared External Link Files | Akash C |
| Oct 07 | Oct 07 | $300 | Side Request Forgery via PhantomJS | Akash C |
| Oct 09 | Oct 19 | $500 | Illegitimate use of system email addresses | Akash C |
| Oct 11 | Oct 16 | $500 | WYSIWYG Editor-based XSS | Akash C |
| Oct 13 | Oct 16 | $300 | Cookie Jar Overflow exploiting Session Fixation | Akash C |
| Oct 22 | Oct 23 | $100 | Coach's comment to client deleting by that client | Siddhant Dhanawade |
| Oct 24 | Oct 24 | $200 | WAF Bypass via Origin IP | Prajit Sindhkar |
| Oct 25 | Oct 25 | $150 | User IP Spoofing via HTTP header Injection | Saeel Relekar |
| Oct 27 | Nov 03 | $250 | Bypass of email verification via Offerings "Register now" button | Akash C |
| Nov 03 | Nov 03 | $900 | Unescaped HTML attribute XSS injections | Paul Vincent Prieto |
| Nov 03 | Nov 03 | $500 | Group names XSS injection | Paul Vincent Prieto |
| Nov 04 | Nov 07 | $1000 | IDOR of Group Session Notes | Judy Magleo |
| Nov 04 | Nov 07 | $250 | Coach import XSS injection | Judy Magleo |
| Nov 04 | Nov 07 | $250 | Form Item validation message XSS injection | Judy Magleo |
| Nov 04 | Nov 07 | $250 | Unescaped HTML title XSS injections | Judy Magleo |
| Nov 07 | Nov 07 | $400 | XSS via inbound subject lines | Ian Moraga |
| Nov 07 | Nov 07 | $150 | XSS in template design via Reflection absent value | Ian Moraga |
| Nov 07 | Nov 07 | $250 | XSS in title of select minimized pop up windows | Ian Moraga |
| Nov 07 | Nov 07 | $150 | XSS in client name for client export download button | Ian Moraga |
| Nov 07 | Nov 07 | $150 | XSS in website of coach profile | Ian Moraga |
| Nov 07 | Nov 07 | $250 | Ability to load Activity Stats for non-visible in-account clients | Ian Moraga |
| Nov 10 | Nov 11 | $300 | Encoded XSS in item title manifest when printing | Akash C |
| Nov 10 | Nov 11 | $150 | Encoded XSS in Offering name manifest when viewing embed code | Akash C |
| Nov 10 | Nov 11 | $150 | Encoded XSS in Company name manifest when creating invoice | Akash C |
| Nov 12 | Nov 13 | $300 | Admin ability to change email of already registered team member | Akash C |
| Nov 12 | Nov 13 | $400 | XSS in Reflections output template | Akash C |
| Nov 12 | Nov 13 | $150 | XSS in Reflections non-meaningful values | Paul Vincent Prieto |
| Nov 12 | Nov 13 | $150 | XSS in client name with Follow Through report | Paul Vincent Prieto |
| Nov 12 | Nov 13 | $150 | Exposed WordPress directory indexes | Paul Vincent Prieto |
| Nov 12 | Nov 13 | $100 | Self Appointment scheduling for coaches who lack permission | Paul Vincent Prieto |
| Nov 12 | Nov 13 | $300 | XSS in folderization tree view from item and folder names | Paul Vincent Prieto |
| Nov 12 | Nov 13 | $250 | Client roster exporting of other coaches when lacking access | Paul Vincent Prieto |
| Nov 12 | Nov 13 | $100 | API documentation page clickjacking | Paul Vincent Prieto |
| Nov 12 | Nov 13 | $100 | Publicly accessible PHP opcache state | Paul Vincent Prieto |
| Nov 13 | Nov 13 | $250 | Sign Up CSRF to set various values | geekboyranjeet |
| Nov 13 | Nov 13 | $200 | CSRF-like snyc Google calendar to unwitting other user | geekboyranjeet |
| Nov 13 | Nov 13 | $100 | Referrer CSRF sign up | geekboyranjeet |
| Nov 14 | Nov 16 | $100 | Disable 2FA for in-account clients | Akash C |
| Nov 14 | Nov 16 | $150 | Load of coach profile by coaches lacking permission | geekboyranjeet |
| Nov 15 | Nov 16 | $100 | Load coach roster by coaches lacking permission | geekboyranjeet |
| Nov 15 | Nov 16 | $100 | Pick new default avatar for other in-account users | geekboyranjeet |
| Nov 15 | Nov 16 | $150 | Message team members by coaches lacking permission | geekboyranjeet |
| Nov 16 | Nov 16 | $150 | Client adding by coaches lacking permission | geekboyranjeet |
| Nov 16 | Nov 18 | $150 | Encoded XSS in group member name manifest when deleting | Akash C |
| Nov 16 | Nov 18 | $250 | Access of other coach data by non-admin coaches | geekboyranjeet |
| Nov 16 | Nov 18 | $250 | Client access of Metrics of other same-coach clients | geekboyranjeet |
| Nov 17 | Nov 18 | $1000 | IDOR of client names | Judy Magleo |
| Nov 17 | Nov 18 | $150 | XSS by team member name in Team Member Manager | Judy Magleo |
| Totals: | $12700 | 48 issues | 8 reporters |
Sound like a safe place for YOUR coaching work?
It is.
Deliver better programs. To more people. With less work.
© CoachAccountable, LLC. All rights reserved.
CoachAccountable is lovingly crafted in Denver, Colorado by some guy.
CoachAccountable is lovingly crafted in Denver, Colorado by some guy.