Scope
- All hosts under
*.cogniahq.tech - The Cognia public API
- The Cognia browser extension (Chrome and Firefox)
Out of scope
- Denial-of-service, volumetric attacks, or rate-limit testing
- Vulnerabilities in third-party services and subprocessors — please report those directly to the vendor
- Social engineering of Cognia employees or customers
- Physical attacks against Cognia property or personnel
- Issues that require a rooted/jailbroken device, a custom browser build, or pre-existing local access
- Self-XSS that requires victim cooperation to exploit
- Missing best-practice headers without a demonstrable impact
Rewards
| Severity | Payout | Examples |
|---|---|---|
| Critical | $5,000 | Remote code execution, authentication bypass, large-scale data exposure. |
| High | $1,500 | Privilege escalation, IDOR with sensitive data, server-side request forgery. |
| Medium | $500 | Stored XSS, CSRF on sensitive actions, leaks of non-public metadata. |
| Low | $100 | Reflected XSS in unauthenticated surfaces, minor information disclosure. |
Final severity is determined by the Cognia security team using CVSS 3.1 as a guide. Duplicate reports are awarded to the first submitter with a working proof of concept.
Disclosure window
We aim to remediate confirmed reports within 90 days. We ask that you withhold public disclosure until we have shipped a fix or the 90-day window has elapsed, whichever comes first. If you need a longer or shorter window, tell us and we will negotiate in good faith.
Safe harbor
Research conducted within the scope and rules of this program is authorized; we will not pursue or support legal action against you for that research. Please do not access more data than is needed to demonstrate the vulnerability, and do not exfiltrate, destroy, or modify customer data.
Report a vulnerability
Email a written report with reproduction steps, affected URLs or endpoints, and your proposed severity to security@cogniahq.tech. PGP keys are available on request.
Report a vulnerability