Cuvva is a new kind of insurance company - focussing on technology and customers first, finance second. Part of this is building all our systems entirely in-house, which - of course - can present new risks.
Security is our highest priority and we strongly appreciate your efforts in helping us protect our customers.
While researching, we'd like to ask you to refrain from:
At the present time, the following items are considered out-of-scope , as they are unrelated/unconnected to our core systems:
prodaccess tokens on other environments (this is intentional)
The easiest way to get to grips with how our system works is to MITM our iOS app - we'd suggest using mitmproxy or similar (we do not currently pin certificates - this is intentional).
Our public APIs all follow the host name structure:
https://service-[name].[env].ext.cuvva.co; web services are on
There are other environments, but please leave those alone.
You'll probably find our public API docs useful. Keep in mind not all APIs are publically documented and a couple of them are slightly out of date, but it's a handy reference. That can be found here: https://github.com/cuvva/docs/tree/master/apis __
sandbox endpoints are directly equivalent to
prod, so anything which is
likely to cause issues - please try to keep it on
sandbox. If you need to
prod, you can, but just try to be reasonably careful. If you'd like to
go through the purchasing processes without actually spending money, let us
know and we can set you up with a
sandbox account - allowing the use of
Stripe test cards etc.
If you manage to make any request to
*.(int|sys|vendor).cuvva.co - well
done! Please let us know :)
*.corp.cuvva.co domains are only accessible once on the VPN, so we
haven't bothered explicitly listing those. If you do manage to get onto one of
them, please let us know about that too! :)
Contact us if you want more information.