CoachAccountable Bug Bounty Program

Think you've found a vulnerability?

Your insight and discoveries are good for our deep appreciation and a cash reward.

Rewards

Rewards are based the following tiers of severity:

Low$100 - $249E.g. functionality-disrupting 
Medium$250 - $999E.g. escalated privileges leading to disallowed access within an account
High$1000 - $4,999E.g. escalated privileges leading to access outside one's account
Critical$5000 - $10,000E.g. RCE, arbitrary SQL injection payloads

We'll provide rewards to reporters who submit original, in-scope vulnerabilities.  Each report is assessed based on criticality, impact and risk to our customers and our company.

Our minimum reward is $100. We may choose to grant bonuses or larger rewards to critical vulnerabilities, more creative exploits, and more insightful reports.

One reward per bug; first discovery claims it; ties break toward the best report.

Rewards will be paid via PayPal.



What's in scope?

Generally speaking, the whole of the CoachAccountable app including its hosting environment.  Any means of gaining actual access to app data you ought not be able to.




What's out of scope?

Everything that's not in scope. This includes but is not limited to:

  • The CoachAccountable blog as hosted at https://blog.coachaccountable.com
  • Untrusted users within the same account gaining disallowed access of other same-account users WITH their involvement, e.g. by uploading malware, embedding phishing URLs in comments, RTLO based attacks in URLs, IDN homograph attacks, etc.



Non-meaningful reports that are also out of scope

This is a long list.  It reflects common "vulnerability" reports that either depend on the unsafe/insecure behaviors of other users (which we cannot control) or are merely ostensible "best practices", the violation of which cannot actually be meaningfully exploited.

  • Best practices concerns (we require evidence of a security vulnerability)
  • Reports about theoretical damage without a real risk
  • Benign or self-only-affecting circumvention of UI constraints (we require evidence of a security vulnerability)
  • Origin IP address disclosure
  • Password not required to update the existing password or email address, or enable 2FA
  • Email spoofing, including SPF/DKIM/DMARC policies
  • Hyperlink injection
  • Rate limiting
  • Clickjacking
  • Username/email address enumeration
  • Sessions not being invalidated when 2FA is enabled
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
  • Race conditions that don't compromise the security of any user or CoachAccountable
  • The output of automated scanners without explanation
  • CSRF with no security implications (like login/logout/unauthenticated CSRF)
  • XSS that doesn't persist on reload (i.e. not saved server-side)
  • Trivial XSS that can't actually access private data (e.g. allowed JavaScript in an uploaded PDF)
  • CSV value injection into other contexts (e.g. Excel formulas)
  • Broken links
  • Missing cookie flags on non-security sensitive cookies
  • Attacks requiring physical or console access to a user's device
  • Missing security headers not related to a security vulnerability
  • Reports of insecure SSL/TLS ciphers unless you have a working proof of concept
  • Banner grabbing issues to figure out the stack we use or software version disclosure
  • Open ports without a vulnerability
  • Password and account recovery policies, such as reset link expiration or password complexity
  • Disclosure of known public files or directories, (e.g. robots.txt)
  • Reports of spam
  • Presence of autocomplete attribute on web forms
  • DNSSEC and DANE
  • HSTS or CSP headers
  • Host header injection unless you can show how a third-party can exploit it
  • Reflected File Download (RFD)
  • EXIF information not stripped from uploaded images
  • DoS targeting other users on the same account, e.g. using malformed inputs or crafted file uploads
  • DoS vulnerabilities based on submitting a large payload in an input field and triggering a 500 error
  • DoS vulnerabilities based on password length
  • DoS vulnerabilities based on lack of pagination or lots of user content slowing response times
  • Using product features like invitation/signup/forgot-password to deliver messages to any email address
  • Unrestricted file upload without a clear attack scenario or PoC
  • Compromised credentials that were not obtained/leaked from CoachAccountable itself



Disqualifiers

In your efforts as an ethical hacker to find and report vulnerabilities for the bug bounty program, the following are off limits:

  • Attempting access to other customers' accounts or accessing other customers' accounts and data unless it's completely unintentional and accidental.
  • Denial of service: disrupting other customers' access to their own accounts.
  • Social engineering of any kind against other customers or CoachAccountable staff, including spearphishing attempts or contacting our support team.
  • Overwhelming our support team with messages. Don't fuzz Contact Support forms.
  • Physical intrusion.
  • Automated scanning, mail bombing, spam, brute-forcing or automated attacks with programs like Burp Intruder.
  • Leaking, manipulating, or destroying any user data.




Guidelines

  • All reports should include a detailed step-by-step explanation of how to replicate the issue and an attack scenario to demonstrate the risk.
  • Practice responsible disclosure. That's a responsibility to users, not us. We will live up to the other end of this by resolving bugs in a timely manner.
  • If you sign up for a CoachAccountable account for vulnerability testing, please include "bugBounty" somewhere in your email address. (For example, you could use Gmail’s task-specific email addresses feature.) This helps us filter your account out of business metrics such as conversion rate.
  • If you include any secrets or confidential information in your report, partially mask it, as far as possible, so you can still convey the severity of your findings without accidentally leaking information.
  • Submit your reports to security@coachaccountable.com.



Questions?

This works because we work together. Contact us with any questions:
security@coachaccountable.com





Bug Bounties Awarded to Date:

It's been (and continues to be) a treat to work with security researchers participating in the program. To:

  • acknowledge their findings,
  • fix the issues they reveal, and
  • swiftly reward them for their efforts.

Acknowledge. Fix. Reward. That's our kind of fun here.

Here are the results to date:

Opened Closed Amount Issue By
Oct 07 Oct 07 $200 Tabnabbing in shared External Link Files Akash C
Oct 07 Oct 07 $300 Side Request Forgery via PhantomJS Akash C
Oct 09 Oct 19 $500 Illegitimate use of system email addresses Akash C
Oct 11 Oct 16 $500 WYSIWYG Editor-based XSS Akash C
Oct 13 Oct 16 $300 Cookie Jar Overflow exploiting Session Fixation Akash C
Oct 22 Oct 23 $100 Coach's comment to client deleting by that client Siddhant Dhanawade
Oct 24 Oct 24 $200 WAF Bypass via Origin IP Prajit Sindhkar
Oct 25 Oct 25 $150 User IP Spoofing via HTTP header Injection Saeel Relekar
Oct 27 Nov 03 $250 Bypass of email verification via Offerings "Register now" button Akash C
Nov 03 Nov 03 $900 Unescaped HTML attribute XSS injections Paul Vincent Prieto
Nov 03 Nov 03 $500 Group names XSS injection Paul Vincent Prieto
Nov 04 Nov 07 $1000 IDOR of Group Session Notes Judy Magleo
Nov 04 Nov 07 $250 Coach import XSS injection Judy Magleo
Nov 04 Nov 07 $250 Form Item validation message XSS injection Judy Magleo
Nov 04 Nov 07 $250 Unescaped HTML title XSS injections Judy Magleo
Nov 07 Nov 07 $400 XSS via inbound subject lines Ian Moraga
Nov 07 Nov 07 $150 XSS in template design via Reflection absent value Ian Moraga
Nov 07 Nov 07 $250 XSS in title of select minimized pop up windows Ian Moraga
Nov 07 Nov 07 $150 XSS in client name for client export download button Ian Moraga
Nov 07 Nov 07 $150 XSS in website of coach profile Ian Moraga
Nov 07 Nov 07 $250 Ability to load Activity Stats for non-visible in-account clients Ian Moraga
Nov 10 Nov 11 $300 Encoded XSS in item title manifest when printing Akash C
Nov 10 Nov 11 $150 Encoded XSS in Offering name manifest when viewing embed code Akash C
Nov 10 Nov 11 $150 Encoded XSS in Company name manifest when creating invoice Akash C
Nov 12 Nov 13 $300 Admin ability to change email of already registered team member Akash C
Nov 12 Nov 13 $400 XSS in Reflections output template Akash C
Nov 12 Nov 13 $150 XSS in Reflections non-meaningful values Paul Vincent Prieto
Nov 12 Nov 13 $150 XSS in client name with Follow Through report Paul Vincent Prieto
Nov 12 Nov 13 $150 Exposed WordPress directory indexes Paul Vincent Prieto
Nov 12 Nov 13 $100 Self Appointment scheduling for coaches who lack permission Paul Vincent Prieto
Nov 12 Nov 13 $300 XSS in folderization tree view from item and folder names Paul Vincent Prieto
Nov 12 Nov 13 $250 Client roster exporting of other coaches when lacking access Paul Vincent Prieto
Nov 12 Nov 13 $100 API documentation page clickjacking Paul Vincent Prieto
Nov 12 Nov 13 $100 Publicly accessible PHP opcache state Paul Vincent Prieto
Nov 13 Nov 13 $250 Sign Up CSRF to set various values geekboyranjeet
Nov 13 Nov 13 $200 CSRF-like snyc Google calendar to unwitting other user geekboyranjeet
Nov 13 Nov 13 $100 Referrer CSRF sign up geekboyranjeet
Nov 14 Nov 16 $100 Disable 2FA for in-account clients Akash C
Nov 14 Nov 16 $150 Load of coach profile by coaches lacking permission geekboyranjeet
Nov 15 Nov 16 $100 Load coach roster by coaches lacking permission geekboyranjeet
Nov 15 Nov 16 $100 Pick new default avatar for other in-account users geekboyranjeet
Nov 15 Nov 16 $150 Message team members by coaches lacking permission geekboyranjeet
Nov 16 Nov 16 $150 Client adding by coaches lacking permission geekboyranjeet
Nov 16 Nov 18 $150 Encoded XSS in group member name manifest when deleting Akash C
Nov 16 Nov 18 $250 Access of other coach data by non-admin coaches geekboyranjeet
Nov 16 Nov 18 $250 Client access of Metrics of other same-coach clients geekboyranjeet
Nov 17 Nov 18 $1000 IDOR of client names Judy Magleo
Nov 17 Nov 18 $150 XSS by team member name in Team Member Manager Judy Magleo
Nov 18 Nov 21 $200 Coach ability to delete other coach's Journal Entry geekboyranjeet
Nov 18 Nov 21 $150 Coach ability to delete other coach's client file marked private geekboyranjeet
Nov 19 Nov 21 $150 Disallowed ability to re-designate Course Participant's coach geekboyranjeet
Nov 19 Nov 21 $150 Forged requests allowing access of not-visible Metrics geekboyranjeet
Nov 19 Nov 21 $150 Forged request to share file with non-paired clients geekboyranjeet
Nov 21 Nov 21 $250 Revealed stack trace error geekboyranjeet
Nov 21 Nov 25 $250 Forged request to access ClientFile of non-paired client Paul Vincent Prieto
Nov 23 Nov 25 $100 XSS in client name when spinning off a Course Ashish Padelkar
Nov 24 Nov 25 $200 XSS in Worksheet Template name in Course Builder Ashish Padelkar
Nov 25 Nov 25 $200 Welcome Page CSRF of account cancellation Akash C
Nov 26 Nov 27 $250 XSS in Form Builder radio options Akash C
Nov 26 Nov 27 $100 Forged request to create Whiteboards for non-paired client geekboyranjeet
Nov 27 Nov 27 $1000 Deletion of arbitrary files via filename path injection Zeeshan Mirza
Nov 28 Dec 02 $100 Forged request to delete private comments of non-owning coach geekboyranjeet
Dec 02 Dec 02 $250 XSS by error report-causing Client Import CSV data Judy Magleo
Dec 03 Dec 04 $100 XSS by error report-causing Company Import CSV data Judy Magleo
Dec 03 Dec 04 $100 XSS in linked-to File URL in generated export files Judy Magleo
Dec 03 Dec 04 $100 Names of private Metrics showing in Overview >> What's Next Ashish Padelkar
Dec 06 Dec 06 $250 Enemerable access of account branding assets Anonymous
Dec 07 Dec 10 $250 Forged request allowing client to delete coach's Group Message Eragon K
Dec 09 Dec 10 $100 Forged request allowing client to post comments on non-visible Group Items Judy Magleo
Dec 12 Dec 12 $100 Forged request allowing comments on non-visible Group Whiteboards Ashish Padelkar
Totals: $17200 70 issues 12 reporters




Sound like a safe place for YOUR coaching work?
It is.

Loading...