Cuvva is a new kind of insurance company - focussing on technology and customers first, finance second. Part of this is building all our systems entirely in-house, which - of course - can present new risks.
Security is our highest priority and we strongly appreciate your efforts in helping us protect our customers.
While researching, we'd like to ask you to refrain from:
At the present time, the following items are considered out-of-scope , as they are unrelated/unconnected to our core systems:
prodaccess tokens on other environments (this is intentional)
The easiest way to get to grips with how our system works is to MITM our iOS app - we'd suggest using mitmproxy or similar (we do not currently pin certificates - this is intentional).
Our public APIs all follow the host name structure:
https://api.[env].cuv-[system].app/1/service-[service]. You're welcome to
nonprod.app. There are other environments, but please leave those alone.
You'll probably find our public API docs useful. Keep in mind not all APIs are publically documented and a couple of them are slightly out of date, but it's a handy reference. That can be found here: https://github.com/cuvva/docs/tree/master/apis __
sandbox endpoints are directly equivalent to
prod, so anything which is
likely to cause issues - please try to keep it on
sandbox. If you need to
prod, you can, but just try to be reasonably careful. If you'd like to
go through the purchasing processes without actually spending money, let us
know and we can set you up with a
sandbox account - allowing the use of
Stripe test cards etc.
Our internal dashboard (for administration etc) lives at
https://ops.cuvva.com. You can switch environment there by appending
?env=[env] - e.g.
https://ops.cuvva.com/?env=sandbox. You should not be
able to log in here, and unfortunately we aren't able to bypass parts of the
authentication for testing purposes. This used to live at
https://ops.corp.cuvva.co, but these are
gone and just redirect to the new dashboard.
If you manage to make any request to
*.(int|sys|vendor).cuvva.co - well
done! Please let us know :)
*.corp.cuvva.co domains are only accessible once on the VPN, so we
haven't bothered explicitly listing those. If you do manage to get onto one of
them, please let us know about that too! :)
You may see references to hostnames like
these are still used internally for legacy reasons, they are no longer
accessible externally. You can ignore them - they've basically been moved from
Contact us if you want more information.