Cuvva is building radically better car insurance - focusing on technology and customers first, finance second. Part of this is building all our systems entirely in-house, which - of course - can present new risks.

Security is our highest priority and we really appreciate your efforts in helping us protect our customers.

Disclosure

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.

• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

• Once the issue is resolved, we will publish/disclose the report.

Exclusions

While researching, we'd like to ask you to refrain from:

• denial of service

• spamming

• social engineering (including phishing) of the Cuvva team

• any physical attempts against Cuvva

• submitting unvalidated reports from automated tools

• making excessive numbers of requests (e.g. fuzzing) without agreeing it with us first

• making repeated requests to endpoints which have an associated cost (e.g. SMS, vehicle lookups, etc.)

• causing spam in our customer support inboxes (e.g. XSS attempts to support@cuvva.com)

Out-of-scope

At the present time, the following items are considered out-of-scope, as they are unrelated/unconnected to our core systems:

• non-XSS content injection (e.g. text injection)

• issues on external non-Cuvva hostnames (still interested in these if we use the service, but will be marked as informative)

• issues with external services (e.g. feedback site, status page) which don't affect any core part of our system (will be marked as informative)

• handling of data within mobile apps where the host OS fully encrypts that data anyway

• any kind of issue relating to security by obscurity (e.g. OPTIONS, software versions, etc.)

• the ability to use prod access tokens on other environments (this is intentional)

• missing security headers (e.g. X-Frame-Options, etc.)

• exposure of staff usernames/email addresses (they're all listed on our website anyway)

• anything which would require users to actively disable standard security features (e.g. MITMing which would require TLS to be broken/ineffective)

Guidance

The easiest way to get to grips with how our system works is to MITM our iOS app - we'd suggest using mitmproxy or similar (we do not currently pin certificates - this is intentional).

Our public APIs all follow the host name structure: https://api.[env].cuv-[system].app/1/service-[service]. You're welcome to investigate https://api.prod.cuv-prod.app and https://api.ephemeral.cuv-nonprod.app. There are other environments, and you might find test useful too, but please leave the others alone.

You'll probably find our public API docs useful. Keep in mind not all APIs are publically documented and a couple of them are a bit out of date, but it's a handy reference. That can be found here: https://github.com/cuvva/docs/tree/master/apis

ephemeral endpoints are directly equivalent to prod, so anything which is likely to cause issues - please try to keep it on ephemeral. If you need to use prod, you can, but just try to be reasonably careful. If you'd like to go through the purchasing processes without actually spending money, let us know and we can give you some test driving licence details, and you'll need to use Stripe test cards etc.

Our internal dashboard (for administration etc) lives at https://ops.cuvva.com. You can switch environment there by appending ?env=[env] - e.g. https://ops.cuvva.com/?env=ephemeral. You should not be able to log in here, and unfortunately we aren't able to bypass parts of the authentication for testing purposes.

The environments and services we run can be discovered automatically. The environments can be listed here:

• https://meta.g.cuv-prod.app/2020-07-09/config

• https://meta.g.cuv-nonprod.app/2020-07-09/config (please try to stick to test + ephemeral - our internal teams use the others for their day-to-day work)

From this, you can then find all the services running on an environment at [env_config_primary_url]/1/2019-03-18/list_service_endpoints. e.g.:

• curl -X POST https://api.prod.cuv-prod.app/1/service-env-config/1/2019-03-18/list_service_endpoints

• curl -X POST https://api.test.cuv-nonprod.app/1/service-env-config/1/2019-03-18/list_service_endpoints

Hostnames you might find interesting:

• ops.cuvva.com

• underwriter.partner.cuvva.com

• api.prod.cuv-prod.app

• bastion-data-warehouse.g.cuv-prod.app

• bastion-hevo.g.cuv-prod.app

• meta.g.cuv-prod.app

• payment.g.cuv-prod.app

• rancher.g.cuv-prod.app

• sftp.g.cuv-prod.app

• underwriter.prod.cuv-prod.app

• wg-data-warehouse.g.cuv-prod.app

• wg.g.cuv-prod.app

• api.ephemeral.cuv-nonprod.app

• api.test.cuv-nonprod.app

• bastion-data-warehouse.g.cuv-nonprod.app

• bastion-hevo.g.cuv-nonprod.app

• meta.g.cuv-nonprod.app

• payment.g.cuv-nonprod.app

• rancher.g.cuv-nonprod.app

• sftp.g.cuv-nonprod.app

• underwriter.ephemeral.cuv-nonprod.app

• underwriter.test.cuv-nonprod.app

• website.g.cuv-nonprod.app

• wg-data-warehouse.g.cuv-nonprod.app

• wg.g.cuv-nonprod.app