At Coupa, we recognize the important role that independent security researchers play in keeping the internet secure. Keeping our customers’ data secure is our number-one priority and we encourage responsible reporting of any vulnerabilities that may be found in our site or application. We're committed to working with the security community to verify and respond to any potential vulnerabilities reported to us, and we pledge not to initiate legal action against security researchers for penetrating or attempting to penetrate our systems as long as they adhere to the conditions below.
Only conduct vulnerability testing against trial instances of our online services to minimize the risk to our customers’ data. When testing, we don't allow the following types of security research:
Privately share details of the suspected vulnerability with us by sending an email to firstname.lastname@example.org. If you want to send an encrypted message, you can use this PGP Key. Provide full details of the suspected vulnerability so our security team can validate and reproduce the issue.
Include the following information:
To all security researchers who follow this Coupa Vulnerability Reporting Policy, our security team commits to:
We take security issues seriously and will respond swiftly to fix verifiable security issues, however some of our products are complex and may take some time to update.
While we appreciate the work done by independent security researchers, we don't offer compensation for reporting a security vulnerability. Any requests for such compensation will be considered a violation of the conditions above. In such an event, Coupa reserves all of its legal rights.