This policy outlines the procedures for reporting and addressing security vulnerabilities related to Coda Payments. Security researchers who interact with Coda Payments’ products and services are encouraged to report any potential or identified vulnerabilities in our system by sending us an email following the template given below.
1. Responsible Disclosure
We appreciate your effort in securing our systems. If you believe you have discovered a security vulnerability in our systems, you are strongly encouraged to adhere to the following steps:
- do not publicly disclose the vulnerability before it has been addressed and resolved by our security team (security@codapayments.com);
- avoid any actions that could cause harm to our systems or data;
- provide sufficient details to help us understand and reproduce the issue, including the affected endpoints, the steps to reproduce, any proof of concept (PoC) code, screenshot, risk assessment, impact analysis, and remediation suggestion in the security bug report; and
- only communicate about the vulnerability directly with our security team (security@codapayments.com) and not any other contact related to Coda Payments.
2. Reporting Vulnerabilities
Please report ONE security vulnerability per email.
To report a security vulnerability, please get in touch with us by sending an email to security@codapayments.com with the templates below:
Subject: Security Vulnerability Report
Body:
TITLE: <Vulnerability Title>
TYPE: <Vulnerability Type>
ENDPOINTS: <Affected Endpoint(s) (separated in commas for multiple endpoints)>
SUMMARY: <Summary>
Attachment: *PDF Report File* (Report Template)
Please refer to the attached sample report file above and provide a detailed description of the vulnerability, including but not limited to, screenshots, video, PoC code, or logs. Once completed, please attach your report in PDF format, and send it to us.
3. Vulnerability Validation Process
After receiving the vulnerability report, we will follow a series of steps to validate the reported vulnerability:
- acknowledge the receipt of your report within 7 days;
- investigate and validate the reported vulnerability;
- notify you when the vulnerability has been validated and accepted; and
- offer rewards for eligible vulnerabilities within 15 days.
4. Scope
4. a) In scope
The below list of URLs is in scope for the bug bounty program:
- *.codashop.com
- *.codacash.com
- *.codapayments.com
4. b) Out of scope
Please note that URLs that are not in the above list, along with the URL(s) below, are excluded from the bug bounty program (this list shall not be exhaustive):
- codapayment.zendesk.com
- codapayments.atlassian.net
- news.codashop.com
- *.support.codashop.com
Please also note that we exclude these vulnerability categories from the bug bounty program (the list shall not be exhaustive):
- Denial-of-Service (DoS) attacks
- Physical attacks on our facilities or data centers
- Social engineering or phishing attacks
- Vulnerabilities in third-party applications/services/components
- HTTPS security headers
- Outdated versions
These vulnerability categories are excluded from the bug bounty program specifically for
www.codashop.com (the list shall not be exhaustive):
- Clickjacking vulnerabilities
- Open redirect vulnerabilities
- Cross-Site Request Forgery (CSRF) vulnerabilities
- Session invalidation after password change
- Game user ID enumeration
- Sensitive token exposed in local storage
Security researchers must also demonstrate that the issues are exploitable and impact the system; submitting only the output from tools, such as TLS protocols/ciphers and port scanning, is insufficient.
6. Legal Considerations
We appreciate your efforts to disclose vulnerabilities to us responsibly and by submitting the report to us, you agree to be bound by the following terms and conditions:
- you shall act in good faith and follow this policy;
- you shall adhere to the responsible disclosure principles;
- at our sole discretion, we may use the vulnerability report submitted for any purpose deemed relevant by us;
- if applicable, for any recommendation you have submitted to us in your report, you agree that Coda Payments shall have all the rights and ownership for such recommendation proposed by you;
- all information (including personal information) that you may share to us, you authorise and consent that we could collect, use and/or disclose information (including personal information) for the purposes set out in the Vulnerability Disclosure Policy;
- you shall not resell or redistribute any of Coda Payments’ data and information; and
- you shall not publish or disclose any potential vulnerabilities discovered to any third party without the consent of Coda Payments. All the information you share in the report shall remain confidential at all times.
7. Bounty Rewards
We offer rewards to security researchers who responsibly disclose vulnerabilities that exist in in-scope systems and can demonstrate that the vulnerabilities are exploitable. The value is determined based on severity as follows:
- Critical (Up to USD 1,500)
- High (Up to USD 800)
- Medium (Up to USD 500)
- Low (Up to USD 150)
- Informational (USD 0)
We only support the Payoneer payment method.
Once we have determined the value of the rewards, the security researcher can agree or appeal to the amount (up to 3 times). We will disclose the payment details once the security researcher agrees with the bounty reward.
8. Amendments
All information in this policy is subject to change without notice. Please review this policy periodically for any updates.
