Coda Payments Vulnerability Disclosure Policy

This policy outlines the procedures for reporting and addressing security vulnerabilities related to Coda. Security researchers who interact with Coda’s products and services are encouraged to report any potential or identified vulnerabilities in our systems by sending us an email using the template below.

1. Responsible Disclosure

We appreciate your effort in securing our systems. If you believe you have discovered a security vulnerability in our systems, you are strongly encouraged to adhere to the following actions:

• Do not publicly disclose the vulnerability before explicit approval from Coda’s security team.
• Avoid any actions that could cause harm to Coda’s systems or data, this includes but is not limited to performing SQL database dump (confidentiality), modifying data belonging to accounts that are not owned by you (integrity), causing slow performance or downtime (availability).
• Only communicate about the vulnerability directly with Coda’s security team and not any other contact related to Coda.

Violation of any of the above actions will result in the void of rewards and rejection of all future reports.

2. Reporting Vulnerabilities

To report a security vulnerability, please submit it only via the Vulnerability Submission Form. Submission via all the other reporting channels will be ignored.

Please report ONE security vulnerability per submission.

Please ensure that all the information submitted in the form is correct as we will refer to it for follow-up.

3. Vulnerability Validation Process

After receiving the vulnerability report, we will follow a series of steps to validate the reported vulnerability:

• Acknowledge the receipt of your report within 7 days;
• Investigate and validate the reported vulnerability;
• Notify you when the vulnerability has been validated and accepted; and
• Offer rewards for eligible vulnerabilities within 15 days.

If the reported vulnerability is a duplicate, we do not award the reporter.

4. Severity Ratings

We use a hybrid approach to determine severity by looking at the full picture within Coda’s environment: how easy it is to exploit, how many users could be affected, what data or systems are at risk, and how critical the feature involved is. Severity is assessed across four levels: Critical, High, Medium, and Low:

• Critical

These are the most serious vulnerabilities — ones that could have an immediate and widespread impact on Coda or our users.

• High

Significant vulnerabilities that could impact a meaningful subset of users or expose sensitive data in a targeted way.

• Medium

Vulnerabilities that have a real but limited impact, often requiring specific conditions or user interaction to exploit.

• Low

Low-risk issues worth fixing but posing minimal immediate threat to users or Coda’s systems.

While we consider researchers’ severity assessments, Coda retains final authority to determine the severity level of all reported vulnerabilities.

5. Scope

5a) In scope

The below list of URLs is in scope for the bug bounty program:

Coda

• *.codashop.com
• *.codacash.com
• *.codapayments.com
• *.coda.co

Giftcloud

• https://www.giftcloud.com/
• https://rewards.giftcloud.com/

Startselect

• https://startselect.com/xx-xx/order/*
• https://startselect.com/xx-xx/account/*
• https://api.startselect.com/v1/*

5b) Out of scope

Authenticated tests are out of scope unless public sign-up is available.

Please note that URLs that are not in the above list, along with the URL(s) below, are excluded from the bug bounty program (this list shall not be exhaustive):

• codapayment.zendesk.com
• codapayments.atlassian.net
• news.codashop.com
• *.support.codashop.com
• giftcloud.zendesk.com
• startselect.com/*/cdn-cgi/*

Please also note that we exclude these vulnerability categories from the bug bounty program (the list shall not be exhaustive):

• Denial-of-Service (DoS) attacks, including rate-limiting
• Physical attacks on our facilities or data centers
• Social engineering or phishing attacks
• Vulnerabilities in third-party applications/services/components
• HTTPS security headers
• Outdated versions
• Self Cross-Site Scripting (XSS)
• Clickjacking (on page with no sensitive actions)
• Missing CSRF Tokens (on page with no sensitive actions)
• SPF/DMARC/DKIM Records
• Weak Password Policies
• DNSSEC
• Rate Limiting

These vulnerability categories are excluded from the bug bounty program specifically for www.codashop.com (the list shall not be exhaustive):

• Clickjacking vulnerabilities
• Open redirect vulnerabilities
• Cross-Site Request Forgery (CSRF) vulnerabilities
• Session invalidation after password change
• Game user ID enumeration
• Sensitive token exposed in local storage

Security researchers must also demonstrate that the issues are exploitable and impact the system; submitting only the output from tools, such as TLS protocols/ciphers and port scanning, is insufficient.

6. Legal Considerations

We appreciate your efforts to disclose vulnerabilities to us responsibly and by submitting the report to us, you agree to be bound by the following terms and conditions:

• You shall act in good faith and follow this policy;
• You shall adhere to the responsible disclosure principles;
• At our sole discretion, we may use the vulnerability report submitted for any purpose deemed relevant by us;
• If applicable, for any recommendation you have submitted to us in your report, you agree that Coda shall have all the rights and ownership for such recommendation proposed by you;
• All information (including personal information) that you may share to us, you authorise and consent that we could collect, use and/or disclose information (including personal information) for the purposes set out in the Vulnerability Disclosure Policy;
• You shall not resell or redistribute any of Coda’s data and information; and
• You shall not publish or disclose any potential vulnerabilities discovered to any third party without the consent of Coda. All the information you share in the report shall remain confidential at all times.

7. Bounty Rewards

We offer rewards to security researchers who responsibly disclose vulnerabilities that exist in in-scope systems and can demonstrate that the vulnerabilities are exploitable. The value is determined based on severity as follows:

We only support the Payoneer and PayPal payment methods. The above amount excludes fees that may be imposed by Payoneer and PayPal.

Once we have determined the value of the rewards, the security researcher can agree or appeal to the amount (for 1 time). We will disclose the payment details once the security researcher agrees to the bounty reward.

8. Amendments

All information in this policy is subject to change without notice. Please review this policy periodically for any updates.