Responsible Disclosure Overview

At Coupa, we recognize the important role that independent security researchers play in keeping the internet secure. Keeping our customers’ data secure is our number-one priority. We encourage responsible reporting of any vulnerabilities. We work with the security community to verify and respond to any potential vulnerabilities reported to us, and we pledge not to initiate legal action against security researchers for penetrating or attempting to penetrate our systems as long as they adhere to the conditions below.

Testing for Security Vulnerabilities

Testing is only allowed against trial instances of our online services to minimize the risk to our customers’ data. When conducting independent vulnerability testing, we don't allow the following types of security research techniques: 

  • Causing, or attempting to cause, a Denial of Service (DoS) condition 
  • Accessing, or attempting to access, data or information that belongs to others
  • Destroying or corrupting, or attempting to destroy or corrupt, data or information that belongs to others
  • Pivoting, or attempting to pivot, within our production environment.

Reporting Potential Vulnerabilities

All testing for security vulnerabilities must be completed against test instances and in accordance with HackerOne bug bounty platform. If you believe you have identified a vulnerability and would like to report it please provide the information below via the HackerOne platform.  Customers may report any vulnerabilities using our Coupa Compass Portal or through submitting a support ticket.

Include the following information of the suspected vulnerability so that our security team can validate and reproduce the issue:

  1. Proof-of-concept and/or URL demonstrating the vulnerability 
  2. Type of issue (cross-site scripting, buffer overflow, SQL injection, etc.) 
  3. Any special configuration required to reproduce the issue 
  4. Impact of the issue, including how an attacker could exploit the issue

Our Security Commitment

To all security researchers who follow this Coupa Vulnerability Reporting Policy, our security team commits to: 

  • Respond in a timely manner, acknowledging receipt of your report 
  • Provide an estimated time frame for addressing the vulnerability 
  • Notify the reporting individual when the vulnerability is fixed 
  • We take security issues seriously and will respond swiftly to fix verifiable security issues.

Compensation

We work with the HackerOne bug bounty platform in order to validate and reward unique bug discoveries. Please work with our team if you are unfamiliar with submitting bugs to Coupa’s bug bounty program. We do not provide compensation outside the bug bounty program for funding and reporting reasons.