At Cobrief, we take the security of our systems and our customers' data very seriously. We highly value the ethical security research community and appreciate your efforts in helping us keep our platform safe.
If you believe you have discovered a potential security vulnerability in our services, we encourage you to report it to us responsibly.
1. Rules of Engagement To ensure a safe and responsible disclosure process, we require that you:
Do no harm: Do not take any actions that could impact the reliability, availability, or performance of our services (e.g., no DDoS or spam attacks).
Protect user data: Never attempt to access, modify, or delete data belonging to Cobrief or our customers. If you encounter user data, stop testing immediately and report it.
No active scanning: Do not use automated vulnerability scanners or excessive traffic to find vulnerabilities, as this creates unnecessary noise for our monitoring systems.
No social engineering: Do not target our employees, physical offices, or customers with phishing or social engineering attacks.
2. Reward Policy (No Bug Bounty) Cobrief operates a strictly unpaid Vulnerability Disclosure Program. We do not currently offer financial compensation, bounties, or physical rewards (swag) for vulnerability reports. We rely on the goodwill of the community and are happy to provide a letter of recommendation or a certificate of appreciation for critical, valid, and previously unknown vulnerabilities reported in good faith.
3. Out of Scope Vulnerabilities To save both your time and ours, please note that we do not accept reports for the following, unless you can demonstrate a clear, exploitable impact:
Missing SPF, DKIM, or DMARC records.
Missing HTTP security headers (e.g., Strict-Transport-Security, X-Frame-Options) without a working proof-of-concept.
Clickjacking on pages with no sensitive actions.
Software version disclosure.
Theoretical vulnerabilities without a clear exploit scenario.
4. How to Report Please send your vulnerability reports to: [email protected] Include a clear description of the issue, the potential impact, and detailed steps to reproduce it (a Proof of Concept).
5. Safe Harbor If you conduct your research and report your findings in accordance with this policy, we will consider your actions authorized. We will not initiate legal action or file a complaint with law enforcement regarding your research.