Data security and privacy are our top priorities. We recognize the value that external security researchers can bring to Copia and we are willing to reward eligible contributions from security researchers, as outline below. If you believe you’ve found a security vulnerability in Copia’s service, please let us know immediately. We are committed to investigating all legitimate reports and will work to resolve the issue in a timely manner. Before reporting, please review this page.
“Security is always excessive until it's not enough.”
Head of Security, Country Energy, NSW Australia
Responsible Research and Disclosure Policy.
In order for you to participate in the program, we require that:
- You refrain from interacting with an individual account (this includes modifying or accessing data from the account) unless you have explicit and written permission from the account holder.
- You make a good faith effort to avoid privacy violations and interrupting others, including (but not limited to) unauthorized access to data, destruction of data, and interruption or degradation of our products. You must not intentionally violate any applicable laws or regulations, including (but not limited to) laws and regulations prohibiting unauthorized access to data.
- If you inadvertently access an individual account's data or Copia company data without permission while investigating an issue, you must cease all activity that might result in further access of private data and contact Copia with a full description of the data that was accessed and the contents of that information. You must immediately delete the information from your system. If you continue to access the unauthorized data, it may indicate a lack of good faith and make you ineligible to receive any benefits from the Safe Harbor Provisions listed below. For any related subsequent bug bounty reports you submit, you must indicate the unauthorized access incident and you may not share that information with anyone else.
- You cannot exploit a security issue you discover for any reason other than for testing purposes.
- You allow a reasonable amount of time for us to review and resolve the issue prior to disclosing it to the public or to a third party.
Safe Harbour Provisions
- We consider the terms mentioned here to provide you authorization, including under the Computer Fraud and Abuse Act (CFAA), to test the security of Copia's products. These terms do NOT provide you authorization to intentionally access individual or company data without their express consent.
- If Copia determines at its sole discretion that you have complied in all respects with our Bug Bounty Program Terms in reporting a security issue to Copia, we will not open a complaint to law enforcement or pursue a civil action against you. Copia will also not pursue legal action against you for clear accidental or good faith violations of these terms or our policy.
- If a third party initiates legal action against you for actions that Copia deems to have complied with our Bug Bounty Terms, Copia will make it known, either to the public or the court, that your actions were authorized under this program.
Bug Bounty Program Processes
We recognize and reward security researchers who help keep our patron data safe by disclosing vulnerabilities in our products. Monetary bounties for such disclosures are entirely at Copia's discretion and are based on risk, impact, and other important factors. To be considered for a bounty, you must meet the following requirements:
- Adhere to our Responsible Research and Disclosure Policy as well as our Safe Harbor Provisions (see above).
- Identify and disclose a security bug that is confirmed by Copia as a vulnerability in our product or infrastructure that creates a security or privacy risk. Please note that many software bugs are not considered security issues and that Copia will ultimately determine the risk of a reported issue. You must disclose the vulnerability as soon as it's discovered or as soon as realistically possible.
- Submit your report via our "Disclose an Issue" form and respond to any follow-up requests from our team regarding updates or further information. Please only submit one issue per report and do not contact our team members directly or through other channels about a disclosed submission.
If you are unsure about any of the above requirements, please contact us for clarification before taking action, either by submitting a new submission with your question or emailing us at firstname.lastname@example.org.
On our end, we commit to following these guidelines when reviewing submitted disclosure reports under our bug bounty program:
- We will investigate and respond to all valid reports. We prioritize evaluations based on risk, impact, and other important factors so please allow a reasonable amount of time before you receive a response.
- Bug bounty compensation is based on a variety of factors, including (but not limited to) impact, ease of exploitation, and quality of the submission. Please note that exceptionally low-risk issues may not qualify for a bounty unless that low-risk issue leads us to discover higher-risk vulnerabilities.
- We intend to pay similar amounts for similar issues, however, qualifying issues and their related bounty amounts may change over time and past rewards are not indicative of future results.
- If we receive a duplicate submission, we award the bounty to the first person to submit the issue. Copia determines what is considered a duplicate submission and is not obligated to share details on prior similar submissions. Any given bounty is usually paid to one individual, however, if a subsequent submission on a previously evaluated issue reveals that a vulnerability still remains or is more serious than initially judged, we may also pay a reward for the subsequent submission and determine if an additional reward is warranted for the initial submission.
- You may donate a bounty to a recognized charity (subject to approval by Copia). We love that you're donating your reward and we double bounty amounts that are donated in this way.
- We reserve the right to publish submissions and relevant updates.
- We acknowledge and publish a list of researchers who have submitted valid security reports. To be eligible for this list, you must first receive a bounty. If you do not wish to be published on this list, please let us know. We reserve the right to limit or adjust the information connected to your name in the list.
- We confirm that all bounty awards are permitted by applicable laws, including (but not limited to) US trade sanctions and economic restrictions.
While researching, we'd like you to refrain from:
- Distributed Denial of Service (DDoS)
- Social engineering or phishing of Copia employees or contractors
- Any attacks against Copia’s physical property or data centers.
Thank you for helping to keep Copia and our users safe.
Other Important Information
Please refrain from security research on Copia or searching for vulnerabilities without first notifying Copia and getting permission for your intended actions.