Coalition, Inc.

We take security, transparency, and the trust of our users seriously. Coalition appreciates the work of security researchers, and we’ve developed this program to make it easy to report vulnerabilities, and to recognize you for your effort to help us solve cyber risk.

If you believe you have found a security vulnerability that could impact Coalition or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow our Vulnerability Disclosure Policy and HackerOne's Disclosure Guidelines, and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.

Submitting high quality reports is highly encouraged. A high quality report is one that explains the vulnerability in detail, identifies its impact and most importantly which includes steps or a "proof of concept" that allows us to reproduce the issue.

Very low quality reports such as those which only contain automated output will be rejected.

DO NOT submit the following as they will also be rejected:

• Missing Best Practice, Configuration, or Policy Suggestions
• Output from Automated Scanners without a PoC to demonstrate a specific vulnerability
• Logout Cross Site Request Forgery
• Lack of Secure or HTTP only flag on non-sensitive cookies
• Email configuration issues without a PoC to demonstrate a specific flaw

Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coalition account has been compromised, change your password and contact [email protected] immediately.

#Responsible Disclosure

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
• Only interact with accounts you own or with explicit permission of the account holder.

In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.

#Scope The following web properties owned by Coalition are in scope for the program.

• *.thecoalition.com
• *.coalitioninc.com

Note: platform.thecoalition.com is our broker platform, only available to licensed insurance brokers. ​ Accordingly we aren’t able to provide an account for testing purposes. If you were otherwise able to gain access we’d love to know as it is not intended for public access.

Please note that help.coalitioninc.com is hosted by Intercom. All activities on these subdomains must be conducted pursuant to their respective Terms of Service and Vulnerability Disclosure Programs (as applicable). Bugs found should be reported directly to each respective service.

Customers of Coalition are out of scope.

#Guidelines for Testing Please be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Coalition Vulnerability Disclosure and/or Bug Bounty programs.

• Make sure that scanners have a narrow scope set that is limited to authorized Coalition IPs only.
• Do not not send unsolicited bulk messages (spam) or unauthorized messages.
• Do not knowingly post, transmit, upload, link to, or send any malware.
• Do not attack Coalition customers, partners or suppliers.

#Exclusions The following conditions are out of scope for the Coalition Vulnerability Disclosure Program. Any of the activities below will result in disqualification from the program permanently.

• Social engineering of Coalition employees, contractors, vendors, or service providers.
• Physical attacks against Coalition employees, offices, or data centers.
• Any vulnerability obtained through the compromise of a Coalition user or employee account.
• Any testing that results in a denial of service, or that otherwise impacts production application availability
• Being an individual on, or residing in any country on, any U.S. sanctions lists.

Additionally, while researching, we'd like to ask you to refrain from:

• Automated scanning
• Denial of service
• Spamming
• SSL/TLS Scan reports
• Any finding without a working proof of concept example
• Anything that would bring harm to Coalition’s apps, infrastructure, or customers

#What to Expect from Coalition Coalition takes vulnerabilities seriously, and believes that vulnerability disclosure programs are a critical element in pursuit of our mission to solve cyber risk. Coalition’s promise to you as a researcher includes:

• Take all reported findings seriously
• Fast acknowledgement of reports
• Confirmation and acknowledgement of findings as identified
• Attribution to you the researcher, and public disclosure of vulnerabilities
• Some pretty sweet looking socks (no really)

#Privacy Policy Coalition’s privacy policy can be found here: https://www.coalitioninc.com/legal/privacy

Thank you for helping keep Coalition and our users safe!