Coinut greatly appreciates any investigation on security vulnerabilities that carried out by well-intention and ethical security researchers. We are looking forward to collaborating with the security community to commit a thoroughly investigating and resolving security issues in our platform. This document aims to define a method by which the Coinut can work with the security research community to improve our online security.
This disclosure policy applies only to vulnerabilities in Coinut products and services under the following conditions:
- Only vulnerabilities that are original and previously unreported and not already discovered by internal procedures are in scope.
Please do not report the following security issues as they are currently not in the scope:-
- Volumetric vulnerabilities (i.e. disrupting our service with too many requests in a short period of time).
- TLS configuration weaknesses (e.g. "weak" ciphersuite support, TLS1.0 support, sweet32,)
- Reports of non-exploitable vulnerabilities
- Reports that stating our services do not completely align with "best practice" e.g. suboptimal email related configuration (SPF, DMARC, etc) or missing security headers (CSP, x-frame-options, x-prevent-xss, etc)
- Reports of improper session fixation / session management vulnerabilities.
As much as we greatly appreciate the time and effort that has been done by the security researchers, a recognition and reward for investigating and reporting relevant security vulnerabilities to us will be given accordingly.
Reporting a vulnerability
If you have found an issue which you think that it is an in-scope security vulnerability (kindly refer to section 2 above for more detail on scope), please email firstname.lastname@example.org including:
- Vulnerable website or page.
- A brief description of the class (e.g. "XSS vulnerability") of the Please avoid including any details that might replicate the issue at this stage. Detail will be requested subsequently, over encrypted communications.
We ask that reporters provide a benign (i.e. non-destructive) proof of exploitation wherever possible based on the industry convention. This is to ensure that the reports can be categorized quickly and accurately while also reducing the possibility of duplicate reports and/or malicious exploitation of certain vulnerability categories (e.g. sub-domain takeovers). If the vulnerability is still exploitable, please make sure that you do not send the report / proof of exploit in the initial, plaintext email. Please also ensure that all proof of exploits are in accordance with our guidance (below), if you are in any doubt, please email email@example.com for advice.
Before reporting any vulnerabilities, please read through this document to ensure that you understand the policy and able to comply with it.
What to expect
You will receive a confirmation email from the Coinut development team in response to your initial email to firstname.lastname@example.org and usually within a few business days of your report being received. The email will include a ticket reference number which you can quote in any further communications with our development team. We may attach a PGP key that you can use to encrypt future communications containing sensitive information.
Following the initial contact, our development team will work to triage the reported vulnerability and will respond to you as soon as possible to confirm whether further information is required and/or whether the vulnerability meets the above scope, or is a duplicate report. From this point, necessary remediation work will be assigned to the appropriate Coinut team members and/or supplier(s). Priority for bug fixes and/or mitigations will be assigned based on the severity of the impact and complexity of exploitation. Vulnerability reports may take some time to triage and/or remediate, you’re welcome to enquire.
When the reported vulnerability is resolved (or remediation plan is scheduled), our development team will notify you and ask for confirmation on the solution that has adequately covered the vulnerability. You will be able to give us feedback on processes, relationships, and vulnerability solutions. We use this information strictly and confidentially for the improvement of how we handle reporting and/or develop services and resolve vulnerabilities. We would also offer an opportunity to be included on our acknowledgments page for the reporters that have provided qualifying vulnerabilities to us.
Security researchers must not:
- Access unnecessary amounts of data. Please provide 2 or 3 records will do, as most vulnerabilities can be demonstrated in 2 or 3 records (such as an enumeration or direct object reference vulnerability);
- Violation of the privacy of Coinut users, employees, contractors, systems, etc. For example, share, redistribute and/or not properly securing data retrieved from our systems or services;
- Use methods that are not described in this policy or communicate any vulnerabilities or related details with anyone other than your dedicated Coinut security contact;
- Modify any data in our systems/services that is not your own;
- Disrupt our service(s) and/or systems; or
- Disclose any vulnerabilities in Coinut systems/services to 3rd parties/the public before Coinut confirming that those vulnerabilities have been eased or fixed. The notification of vulnerability to 3rd parties to whom the vulnerability is directly relevant will not be prevented, for example, when the reported vulnerability is in a software library or framework, – but details of the specific vulnerability of the Coinut must not be referenced in such reports. If you are unsure about the status of a 3rd party to whom you wish to send a notification, please email email@example.com for clarification.
The information and data retrieved during the research will be requested to be securely deleted as soon as it is no longer required. The action must be done within a month after the vulnerability is resolved.
Please contact our security team for guidance (please do not include any sensitive information in the initial communications): firstname.lastname@example.org. if you are not sure whether the actions you are thinking of taking are acceptable at any stage.
This policy is created for well-intention security researchers. It does not give you permission to act in any manner that is inconsistent with the law or cause the Coinut to be in breach of any of its legal obligations from relevant authorities.
Coinut will not seek prosecution of any security researcher who reports, in good faith and in accordance with this policy, any security vulnerability on an in-scope Coinut service.
If you wish to provide feedback or suggestions on this policy, please contact our team at email@example.com. This policy will evolve over time and your input will be valued to ensure that it is clear, complete, and remains relevant.
(Last updated: )