Skip to main content

upcoach Bug Bounty Program

Explore upcoach's Bug Bounty Program for secure vulnerability reporting. Learn about guidelines, in-scope targets, exclusions and rewards.

Written by Kadir Furkan Kiraz
Updated over a week ago

At upcoach, we prioritize the safety and security of our platform and clients. To further enhance our application’s security, we invite the global security community to participate in our Bug Bounty Program. Through responsible disclosure of vulnerabilities, security researchers can help us maintain a secure environment while being eligible for rewards.

Scope of the Program

We accept vulnerability submissions classified as P1-P3 according to the Bugcrowd Vulnerability Rating Taxonomy.

Authorized Testing Targets

Testing is authorized only on targets explicitly listed as in scope. This includes all services and systems directly connected to the internet. Researchers must limit their testing to these systems.

If you identify a vulnerability in a domain or property not listed as in scope but demonstrably belonging to upcoach, you may still report it. Such submissions will be reviewed on a case-by-case basis and may not qualify for a reward.

Out of Scope

The following domains and subdomains are out of scope for this program:

  • help.upcoach.com

  • docs.upcoach.com

  • developers.upcoach.com

  • wa.upcoach.com

  • scorecard.upcoach.com

  • custom.upcoach.com

  • affiliate.upcoach.com

  • upcoach.com (main website, in scope only if it leads to unauthorized backend access or sensitive admin information exposure)

Exclusions

The following issues are not considered valid vulnerabilities and are not eligible for rewards:

  • Violations of program rules or guidelines.

  • Brute force attacks (e.g., guessing passwords).

  • Disclosure of server or software version numbers.

  • Server-side request forgery (SSRF) requiring administrative privileges.

  • Unicode homoglyph or RTLO phishing attacks.

  • SPF, DKIM, or DMARC misconfigurations.

  • Physical access-dependent vulnerabilities.

  • Adversary-in-the-middle attacks.

  • Distributed Denial of Service (DDoS) attacks.

  • Content spoofing.

  • Social engineering, including phishing attacks.

  • Email flooding.

  • Issues related to XMLRPC.

  • Automated scanner reports without validation.

  • Self-XSS requiring more than two user actions to exploit.

  • Open redirects without demonstrated security impact.

  • Vulnerabilities in outdated or unsupported browsers.

  • Denial-of-service attacks affecting only the reporter’s account.

  • Misconfigured permissions with available configurations to restrict them.

Reporting Guidelines and Process

To ensure your submission is actionable and eligible for review, please follow these guidelines:

Reporting Details

  • Description: Provide a clear and concise description of the vulnerability.

  • Reproduction Steps: Include a detailed, step-by-step guide to replicate the issue.

  • Proof of Concept (POC): Attach POC materials such as:

    • Screenshots.

    • Videos (preferred format).

    • Scripts or code snippets if applicable.

  • Impact Assessment: Clearly explain the potential impact of the vulnerability on the platform, users, or administrators.

Submission Channels

Reports must be submitted via email to one of the following addresses:

Expected Timeline

  1. Acknowledgment: We will acknowledge receipt of your submission within 2 business days.

  2. Validation: Our security team will review and validate the report within 7 business days.

  3. Feedback: If the submission is valid, we will provide feedback and discuss next steps. Invalid submissions will also be responded to with reasons for dismissal.

  4. Resolution: Accepted vulnerabilities will be patched promptly, and the researcher will be notified.

  5. Reward Processing: If eligible for a reward, payment details and timelines will be communicated after resolution.

Reward Structure

Eligible vulnerabilities will be rewarded based on their severity as defined in the Bugcrowd Vulnerability Taxonomy:

  • P1 (Critical): Highest priority, significantly impacts security or data exposure.

  • P2 (High): Major vulnerability with a significant impact but requires specific conditions.

  • P3 (Moderate): Medium-impact issues that may compromise user experience or functionality.

Rewards may vary based on the complexity and potential impact of the vulnerability. Reports on out-of-scope domains may be reviewed but are not guaranteed a reward.

Known issues and/or reports that other security researchers previously submitted, ARE NOT eligible by our reward program.

Program Rules and Responsibilities

  • Do not exploit or abuse vulnerabilities during testing.

  • Do not modify or destroy data.

  • Do not use social engineering, phishing, or denial-of-service attacks.

  • Conduct testing only on authorized targets.

  • Maintain confidentiality of any vulnerabilities until resolved by upcoach.

Failure to adhere to these rules will result in disqualification from the program.

Safe Harbor

We are committed to protecting researchers who act in good faith under this program. If you follow this policy:

  • Your research will be considered authorized under the Computer Fraud and Abuse Act (CFAA) and similar state laws.

  • You will be exempt from Digital Millennium Copyright Act (DMCA) claims related to circumvention.

  • We waive restrictions in our Terms & Conditions that would interfere with security research for this program.

Support and Documentation

For additional support and resources, refer to the following:

By participating in this program, you contribute to the security of upcoach and our clients. We thank you for your efforts in making the Internet a safer place!

Did this answer your question?