Banner object (1)

Hack and Take the Cash !

722 bounties in database
22/05/2017
Cuvva logo

Cuvva

Cuvva is a new kind of insurance company - focussing on technology and customers first, finance second. Part of this is building all our systems entirely in-house, which - of course - can present new risks.

Security is our highest priority and we strongly appreciate your efforts in helping us protect our customers.

Disclosure

  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
  • Once the issue is resolved, we will publish/disclose the report.

Exclusions

While researching, we'd like to ask you to refrain from:

  • denial of service
  • spamming
  • social engineering (including phishing) of the Cuvva team
  • any physical attempts against Cuvva
  • submitting unvalidated reports from automated tools
  • making excessive numbers of requests (e.g. fuzzing) without agreeing it with us first
  • making repeated requests to endpoints which have an associated cost (e.g. SMS, vehicle lookups, etc.)
  • causing spam in our customer support inboxes (e.g. XSS attempts to support@cuvva.com)

Out-of-scope

At the present time, the following items are considered out-of-scope , as they are unrelated/unconnected to our core systems:

  • non-XSS content injection (e.g. text injection)
  • issues on external non-Cuvva hostnames (still interested in these if we use the service, but will be marked as informative)
  • issues with external services (e.g. blog, status page) which don't affect any core part of our system (will be marked as informative)
  • handling of data within mobile apps where the host OS fully encrypts that data anyway
  • any kind of issue relating to security by obscurity (e.g. OPTIONS, software versions, etc.)
  • the ability to use prod access tokens on other environments (this is intentional)
  • missing security headers (e.g. X-Frame-Options, etc.)
  • exposure of staff usernames/email addresses - e.g. via the Wordpress JSON API (they're all listed on our website anyway)

Guidance

The easiest way to get to grips with how our system works is to MITM our iOS app - we'd suggest using mitmproxy or similar (we do not currently pin certificates - this is intentional).

Our public APIs all follow the host name structure: https://service-[name].[env].ext.cuvva.co; web services are on https://web-[name].[env].ext.cuvva.co, where env is prod or sandbox. There are other environments, but please leave those alone.

You'll probably find our public API docs useful. Keep in mind not all APIs are publically documented and a couple of them are slightly out of date, but it's a handy reference. That can be found here: https://github.com/cuvva/docs/tree/master/apis __

sandbox endpoints are directly equivalent to prod, so anything which is likely to cause issues - please try to keep it on sandbox. If you need to use prod, you can, but just try to be reasonably careful. If you'd like to go through the purchasing processes without actually spending money, let us know and we can set you up with a sandbox account - allowing the use of Stripe test cards etc.

If you manage to make any request to *.(int|sys|vendor).cuvva.co - well done! Please let us know :)

Some *.corp.cuvva.co domains are only accessible once on the VPN, so we haven't bothered explicitly listing those. If you do manage to get onto one of them, please let us know about that too! :)

Thanks
Gift
Hall of Fame
Reward


List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2019