We take security, transparency, and the trust of our users seriously. Coalition appreciates the work of security researchers, and we’ve developed this program to make it easy to report vulnerabilities, and to recognize you for your effort to help us solve cyber risk.
If you believe you have found a security vulnerability that could impact Coalition or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow our Vulnerability Disclosure Policy and HackerOne's Disclosure Guidelines, and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.
Submitting high quality reports is highly encouraged. A high quality report is one that explains the vulnerability in detail, identifies its impact and most importantly which includes steps or a "proof of concept" that allows us to reproduce the issue.
Very low quality reports such as those which only contain automated output will be rejected.
DO NOT submit the following as they will also be rejected:
Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coalition account has been compromised, change your password and contact email@example.com immediately.
In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.
The following web properties owned by Coalition are in scope for the program.
Note: platform.thecoalition.com is our broker platform, only available to
licensed insurance brokers.
Accordingly we aren’t able to provide an account for testing purposes. If you were otherwise able to gain access we’d love to know as it is not intended for public access.
Please note that www.thecoalition.com __is hosted by Webflow, blog.thecoalition.com is hosted by Ghost, and help.thecoalition.com is hosted by Intercom. All activities on these subdomains must be conducted pursuant to their respective Terms of Service and Vulnerability Disclosure Programs (as applicable). Bugs found should be reported directly to each respective service.
Customers of Coalition are out of scope.
Please be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Coalition Vulnerability Disclosure and/or Bug Bounty programs.
The following conditions are out of scope for the Coalition Vulnerability Disclosure Program. Any of the activities below will result in disqualification from the program permanently.
Additionally, while researching, we'd like to ask you to refrain from:
Coalition takes vulnerabilities seriously, and believes that vulnerability disclosure programs are a critical element in pursuit of our mission to solve cyber risk. Coalition’s promise to you as a researcher includes:
Thank you for helping keep Coalition and our users safe!