Banner object (1)

Hack and Take the Cash !

800 bounties in database
  Back Link to program      
Cuvva logo
Hall of Fame

In Scope

Scope Type Scope Name
android_application co.cuvva.hourly
ios_application 979980804
web_application *
web_application *
web_application *
web_application *

Out of Scope

Scope Type Scope Name


Cuvva is a new kind of insurance company - focussing on technology and customers first, finance second. Part of this is building all our systems entirely in-house, which - of course - can present new risks.

Security is our highest priority and we strongly appreciate your efforts in helping us protect our customers.


  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
  • Once the issue is resolved, we will publish/disclose the report.


While researching, we'd like to ask you to refrain from:

  • denial of service
  • spamming
  • social engineering (including phishing) of the Cuvva team
  • any physical attempts against Cuvva
  • submitting unvalidated reports from automated tools
  • making excessive numbers of requests (e.g. fuzzing) without agreeing it with us first
  • making repeated requests to endpoints which have an associated cost (e.g. SMS, vehicle lookups, etc.)
  • causing spam in our customer support inboxes (e.g. XSS attempts to


At the present time, the following items are considered out-of-scope , as they are unrelated/unconnected to our core systems:

  • non-XSS content injection (e.g. text injection)
  • issues on external non-Cuvva hostnames (still interested in these if we use the service, but will be marked as informative)
  • issues with external services (e.g. blog, status page) which don't affect any core part of our system (will be marked as informative)
  • handling of data within mobile apps where the host OS fully encrypts that data anyway
  • any kind of issue relating to security by obscurity (e.g. OPTIONS, software versions, etc.)
  • the ability to use prod access tokens on other environments (this is intentional)
  • missing security headers (e.g. X-Frame-Options, etc.)
  • exposure of staff usernames/email addresses - e.g. via the Wordpress JSON API (they're all listed on our website anyway)
  • anything which would require users to actively disable standard security features (e.g. MITMing which would require TLS to be broken/ineffective)


The easiest way to get to grips with how our system works is to MITM our iOS app - we'd suggest using mitmproxy or similar (we do not currently pin certificates - this is intentional).

Our public APIs all follow the host name structure: https://api.[env].cuv-[system].app/1/service-[service]. You're welcome to investigate and https://api.sandbox.cuv- There are other environments, but please leave those alone.

You'll probably find our public API docs useful. Keep in mind not all APIs are publically documented and a couple of them are slightly out of date, but it's a handy reference. That can be found here: __

sandbox endpoints are directly equivalent to prod, so anything which is likely to cause issues - please try to keep it on sandbox. If you need to use prod, you can, but just try to be reasonably careful. If you'd like to go through the purchasing processes without actually spending money, let us know and we can set you up with a sandbox account - allowing the use of Stripe test cards etc.

Our internal dashboard (for administration etc) lives at You can switch environment there by appending ?env=[env] - e.g. You should not be able to log in here, and unfortunately we aren't able to bypass parts of the authentication for testing purposes. This used to live at and, but these are gone and just redirect to the new dashboard.

If you manage to make any request to *.(int|sys|vendor) - well done! Please let us know :)

Some * domains are only accessible once on the VPN, so we haven't bothered explicitly listing those. If you do manage to get onto one of them, please let us know about that too! :)

You may see references to hostnames like *.[env] Although these are still used internally for legacy reasons, they are no longer accessible externally. You can ignore them - they've basically been moved from https://service-[service].[env][path] and https://service- proxy.[env][service]/[path] to https://api.[env].cuv-(non)[service]/[path].

FireBounty © 2015-2019

Legal notices