Coalition, Inc.
We take security, transparency, and the trust of our users seriously. Coalition appreciates the work of security researchers, and we’ve developed this program to make it easy to report vulnerabilities, and to recognize you for your effort to help us solve cyber risk.
If you believe you have found a security vulnerability that could impact Coalition or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow our Vulnerability Disclosure Policy and HackerOne's Disclosure Guidelines, and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.
Submitting high quality reports is highly encouraged. A high quality report is one that explains the vulnerability in detail, identifies its impact and most importantly which includes steps or a "proof of concept" that allows us to reproduce the issue.
Very low quality reports such as those which only contain automated output will be rejected.
DO NOT submit the following as they will also be rejected:
Missing Best Practice, Configuration, or Policy Suggestions
Output from Automated Scanners without a PoC to demonstrate a specific vulnerability
Logout Cross Site Request Forgery
Lack of Secure or HTTP only flag on non-sensitive cookies
Email configuration issues without a PoC to demonstrate a specific flaw
Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coalition account has been compromised, change your password and contact help@coalitioninc.com immediately.
Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Only interact with accounts you own or with explicit permission of the account holder.
In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.
The following web properties owned by Coalition are in scope for the program.
*.thecoalition.com
*.coalitioninc.com
Note: platform.thecoalition.com is our broker platform, only available to licensed insurance brokers.
Accordingly we aren’t able to provide an account for testing purposes. If you were otherwise able to gain access we’d love to know as it is not intended for public access.
Please note that help.coalitioninc.com is hosted by Intercom. All activities on these subdomains must be conducted pursuant to their respective Terms of Service and Vulnerability Disclosure Programs (as applicable). Bugs found should be reported directly to each respective service.
Customers of Coalition are out of scope.
Please be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Coalition Vulnerability Disclosure and/or Bug Bounty programs.
Make sure that scanners have a narrow scope set that is limited to authorized Coalition IPs only.
Do not not send unsolicited bulk messages (spam) or unauthorized messages.
Do not knowingly post, transmit, upload, link to, or send any malware.
Do not attack Coalition customers, partners or suppliers.
The following conditions are out of scope for the Coalition Vulnerability Disclosure Program. Any of the activities below will result in disqualification from the program permanently.
Social engineering of Coalition employees, contractors, vendors, or service providers.
Physical attacks against Coalition employees, offices, or data centers.
Any vulnerability obtained through the compromise of a Coalition user or employee account.
Any testing that results in a denial of service, or that otherwise impacts production application availability
Being an individual on, or residing in any country on, any U.S. sanctions lists.
Additionally, while researching, we'd like to ask you to refrain from:
Automated scanning
Denial of service
Spamming
SSL/TLS Scan reports
Any finding without a working proof of concept example
Anything that would bring harm to Coalition’s apps, infrastructure, or customers
Coalition takes vulnerabilities seriously, and believes that vulnerability disclosure programs are a critical element in pursuit of our mission to solve cyber risk. Coalition’s promise to you as a researcher includes:
Take all reported findings seriously
Fast acknowledgement of reports
Confirmation and acknowledgement of findings as identified
Attribution to you the researcher, and public disclosure of vulnerabilities
Some pretty sweet looking socks (no really)
Coalition’s privacy policy can be found here: https://www.coalitioninc.com/legal/privacy
Thank you for helping keep Coalition and our users safe!
| Scope Type | Scope Name |
|---|---|
| web_application | api.thecoalition.com |
| web_application | platform.thecoalition.com |
| web_application | coalitioninc.com |
| Scope Type | Scope Name |
|---|---|
| web_application | www.thecoalition.com |
| web_application | blog.thecoalition.com |
| web_application | help.thecoalition.com |
The progam has been crawled by Firebounty on 2018-02-13 and updated on 2018-06-05, 6 reports have been received so far.
FireBounty © 2015-2024
