Think you've found a vulnerability?
Your insight and discoveries are good for our deep appreciation and a cash reward.
Low | $100 - $249 | E.g. functionality-disrupting |
Medium | $250 - $999 | E.g. escalated privileges leading to disallowed access within an account |
High | $1000 - $4,999 | E.g. escalated privileges leading to access outside one's account |
Critical | $5000 - $10,000 | E.g. RCE, arbitrary SQL injection payloads |
We'll provide rewards to reporters who submit original, in-scope vulnerabilities. Each report is assessed based on criticality, impact and risk to our customers and our company.
Our minimum reward is $100. We may choose to grant bonuses or larger rewards to critical vulnerabilities, more creative exploits, and more insightful reports.
One reward per bug; first discovery claims it; ties break toward the best report.
Rewards will be paid via PayPal.
Generally speaking, the whole of the CoachAccountable app including its hosting environment. Any means of gaining actual access to app data you ought not be able to.
Everything that's not in scope. This includes but is not limited to:
This is a long list. It reflects common "vulnerability" reports that either depend on the unsafe/insecure behaviors of other users (which we cannot control) or are merely ostensible "best practices", the violation of which cannot actually be meaningfully exploited.
In your efforts as an ethical hacker to find and report vulnerabilities for the bug bounty program, the following are off limits:
This works because we work together. Contact us with any questions:
security@coachaccountable.com
It's been (and continues to be) a treat to work with security researchers participating in the program. To:
Acknowledge. Fix. Reward. That's our kind of fun here.
Here are the results to date:Opened | Closed | Amount | Issue | By |
---|---|---|---|---|
Oct 07 | Oct 07 | $200 | Tabnabbing in shared External Link Files | Akash C |
Oct 07 | Oct 07 | $300 | Side Request Forgery via PhantomJS | Akash C |
Oct 09 | Oct 19 | $500 | Illegitimate use of system email addresses | Akash C |
Oct 11 | Oct 16 | $500 | WYSIWYG Editor-based XSS | Akash C |
Oct 13 | Oct 16 | $300 | Cookie Jar Overflow exploiting Session Fixation | Akash C |
Oct 22 | Oct 23 | $100 | Coach's comment to client deleting by that client | Siddhant Dhanawade |
Oct 24 | Oct 24 | $200 | WAF Bypass via Origin IP | Prajit Sindhkar |
Oct 25 | Oct 25 | $150 | User IP Spoofing via HTTP header Injection | Saeel Relekar |
Oct 27 | Nov 03 | $250 | Bypass of email verification via Offerings "Register now" button | Akash C |
Nov 03 | Nov 03 | $900 | Unescaped HTML attribute XSS injections | Paul Vincent Prieto |
Nov 03 | Nov 03 | $500 | Group names XSS injection | Paul Vincent Prieto |
Nov 04 | Nov 07 | $1000 | IDOR of Group Session Notes | Judy Magleo |
Nov 04 | Nov 07 | $250 | Coach import XSS injection | Judy Magleo |
Nov 04 | Nov 07 | $250 | Form Item validation message XSS injection | Judy Magleo |
Nov 04 | Nov 07 | $250 | Unescaped HTML title XSS injections | Judy Magleo |
Nov 07 | Nov 07 | $400 | XSS via inbound subject lines | Ian Moraga |
Nov 07 | Nov 07 | $150 | XSS in template design via Reflection absent value | Ian Moraga |
Nov 07 | Nov 07 | $250 | XSS in title of select minimized pop up windows | Ian Moraga |
Nov 07 | Nov 07 | $150 | XSS in client name for client export download button | Ian Moraga |
Nov 07 | Nov 07 | $150 | XSS in website of coach profile | Ian Moraga |
Nov 07 | Nov 07 | $250 | Ability to load Activity Stats for non-visible in-account clients | Ian Moraga |
Nov 10 | Nov 11 | $300 | Encoded XSS in item title manifest when printing | Akash C |
Nov 10 | Nov 11 | $150 | Encoded XSS in Offering name manifest when viewing embed code | Akash C |
Nov 10 | Nov 11 | $150 | Encoded XSS in Company name manifest when creating invoice | Akash C |
Nov 12 | Nov 13 | $300 | Admin ability to change email of already registered team member | Akash C |
Nov 12 | Nov 13 | $400 | XSS in Reflections output template | Akash C |
Nov 12 | Nov 13 | $150 | XSS in Reflections non-meaningful values | Paul Vincent Prieto |
Nov 12 | Nov 13 | $150 | XSS in client name with Follow Through report | Paul Vincent Prieto |
Nov 12 | Nov 13 | $150 | Exposed WordPress directory indexes | Paul Vincent Prieto |
Nov 12 | Nov 13 | $100 | Self Appointment scheduling for coaches who lack permission | Paul Vincent Prieto |
Nov 12 | Nov 13 | $300 | XSS in folderization tree view from item and folder names | Paul Vincent Prieto |
Nov 12 | Nov 13 | $250 | Client roster exporting of other coaches when lacking access | Paul Vincent Prieto |
Nov 12 | Nov 13 | $100 | API documentation page clickjacking | Paul Vincent Prieto |
Nov 12 | Nov 13 | $100 | Publicly accessible PHP opcache state | Paul Vincent Prieto |
Nov 13 | Nov 13 | $250 | Sign Up CSRF to set various values | geekboyranjeet |
Nov 13 | Nov 13 | $200 | CSRF-like snyc Google calendar to unwitting other user | geekboyranjeet |
Nov 13 | Nov 13 | $100 | Referrer CSRF sign up | geekboyranjeet |
Nov 14 | Nov 16 | $100 | Disable 2FA for in-account clients | Akash C |
Nov 14 | Nov 16 | $150 | Load of coach profile by coaches lacking permission | geekboyranjeet |
Nov 15 | Nov 16 | $100 | Load coach roster by coaches lacking permission | geekboyranjeet |
Nov 15 | Nov 16 | $100 | Pick new default avatar for other in-account users | geekboyranjeet |
Nov 15 | Nov 16 | $150 | Message team members by coaches lacking permission | geekboyranjeet |
Nov 16 | Nov 16 | $150 | Client adding by coaches lacking permission | geekboyranjeet |
Nov 16 | Nov 18 | $150 | Encoded XSS in group member name manifest when deleting | Akash C |
Nov 16 | Nov 18 | $250 | Access of other coach data by non-admin coaches | geekboyranjeet |
Nov 16 | Nov 18 | $250 | Client access of Metrics of other same-coach clients | geekboyranjeet |
Nov 17 | Nov 18 | $1000 | IDOR of client names | Judy Magleo |
Nov 17 | Nov 18 | $150 | XSS by team member name in Team Member Manager | Judy Magleo |
Nov 18 | Nov 21 | $200 | Coach ability to delete other coach's Journal Entry | geekboyranjeet |
Nov 18 | Nov 21 | $150 | Coach ability to delete other coach's client file marked private | geekboyranjeet |
Nov 19 | Nov 21 | $150 | Disallowed ability to re-designate Course Participant's coach | geekboyranjeet |
Nov 19 | Nov 21 | $150 | Forged requests allowing access of not-visible Metrics | geekboyranjeet |
Nov 19 | Nov 21 | $150 | Forged request to share file with non-paired clients | geekboyranjeet |
Nov 21 | Nov 21 | $250 | Revealed stack trace error | geekboyranjeet |
Nov 21 | Nov 25 | $250 | Forged request to access ClientFile of non-paired client | Paul Vincent Prieto |
Nov 23 | Nov 25 | $100 | XSS in client name when spinning off a Course | Ashish Padelkar |
Nov 24 | Nov 25 | $200 | XSS in Worksheet Template name in Course Builder | Ashish Padelkar |
Nov 25 | Nov 25 | $200 | Welcome Page CSRF of account cancellation | Akash C |
Totals: | $14500 | 58 issues | 9 reporters |
Deliver better programs. To more people. With less work.