Coda Payments Vulnerability Disclosure Policy

This policy outlines the procedures for reporting and addressing security vulnerabilities related to Coda Payments. Security researchers who interact with Coda Payments’ products and services are encouraged to report any potential or identified vulnerabilities in our system by sending us an email following the template given below.

1. Responsible Disclosure

We appreciate your effort in securing our systems. If you believe you have discovered a security vulnerability in our systems, you are strongly encouraged to adhere to the following actions:

• do not publicly disclose the vulnerability before explicit approval from Coda’s security team.
• avoid any actions that could cause harm to Coda’s systems or data, this includes but is not limited to performing SQL database dump (confidentiality), modifying data belonging to accounts that are not owned by you (integrity), causing slow performance or downtime (availability);
• only communicate about the vulnerability directly with Coda’s security team and not any other contact related to Coda Payments

Violation of any of the above actions will result in the void of rewards and rejection of all future reports.

2. Reporting Vulnerabilities

To report a security vulnerability, please submit it only via this form Vulnerability Submission Form. Submission via all the other reporting channels will be ignored.

Please report ONE security vulnerability per submission.

Please ensure that all the information submitted in the form is correct as we will refer to it for follow-up.

3. Vulnerability Validation Process

After receiving the vulnerability report, we will follow a series of steps to validate the reported vulnerability:

• acknowledge the receipt of your report within 7 days;
• investigate and validate the reported vulnerability;
• notify you when the vulnerability has been validated and accepted; and
• offer rewards for eligible vulnerabilities within 15 days.

If the reported vulnerability is a duplicate, we do not award the reporter.

4. Scope

4a) In scope

The below list of URLs is in scope for the bug bounty program:

• *.codashop.com
• *.codacash.com
• *.codapayments.com

4b) Out of scope

Authenticated tests are out of scope unless public sign-up is available.

Please note that URLs that are not in the above list, along with the URL(s) below, are excluded from the bug bounty program (this list shall not be exhaustive):

• codapayment.zendesk.com
• codapayments.atlassian.net
• news.codashop.com
• *.support.codashop.com

Please also note that we exclude these vulnerability categories from the bug bounty program (the list shall not be exhaustive):

• Denial-of-Service (DoS) attacks
• Physical attacks on our facilities or data centers
• Social engineering or phishing attacks
• Vulnerabilities in third-party applications/services/components
• HTTPS security headers
• Outdated versions

These vulnerability categories are excluded from the bug bounty program specifically for www.codashop.com (the list shall not be exhaustive):

• Clickjacking vulnerabilities
• Open redirect vulnerabilities
• Cross-Site Request Forgery (CSRF) vulnerabilities
• Session invalidation after password change
• Game user ID enumeration
• Sensitive token exposed in local storage

Security researchers must also demonstrate that the issues are exploitable and impact the system; submitting only the output from tools, such as TLS protocols/ciphers and port scanning, is insufficient. 

5. Legal Considerations

We appreciate your efforts to disclose vulnerabilities to us responsibly and by submitting the report to us, you agree to be bound by the following terms and conditions:

• you shall act in good faith and follow this policy;
• you shall adhere to the responsible disclosure principles;
• at our sole discretion, we may use the vulnerability report submitted for any purpose deemed relevant by us;
• if applicable, for any recommendation you have submitted to us in your report, you agree that Coda Payments shall have all the rights and ownership for such recommendation proposed by you; 
• all information (including personal information) that you may share to us, you authorise and consent that we could collect, use and/or disclose information (including personal information) for the purposes set out in the Vulnerability Disclosure Policy; 
• you shall not resell or redistribute any of Coda Payments’ data and information; and
• you shall not publish or disclose any potential vulnerabilities discovered to any third party without the consent of Coda Payments. All the information you share in the report shall remain confidential at all times.  

6. Bounty Rewards

We offer rewards to security researchers who responsibly disclose vulnerabilities that exist in in-scope systems and can demonstrate that the vulnerabilities are exploitable. The value is determined based on severity as follows:

• Critical (Up to USD 2,000)
• High (Up to USD 1,000)
• Medium (Up to USD 130)
• Low (Up to USD 10)
• Informational (USD 0)

We only support the Payoneer payment method. The above amount excludes fees that may be imposed by Payoneer.

Once we have determined the value of the rewards, the security researcher can agree or appeal to the amount (for 1 time). We will disclose the payment details once the security researcher agrees to the bounty reward.

7. Amendments

All information in this policy is subject to change without notice. Please review this policy periodically for any updates.