Bug Bounty Program
About
Security is a top priority for Cognism because it’s fundamental to everything we do, our customers and our product. For this reason, we have implemented a number of security measures and we’re committed to securing application data, eliminating vulnerabilities and finally ensuring business continuity
For questions regarding security please email security@cognism.com.
Vulnerability Disclosure
If you would like to report a vulnerability or have any security concerns with any of Cognism products, please contact security@cognism.com
Include a proof of concept, a list of tools used (including versions), and the output of the tools. We take all disclosures very seriously. Vulnerability bounties (aka bug bounties) are determined on a case-by-case basis.
Rules for you
- Don’t attempt to gain access to another user’s account or data.
- Don’t perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
- Don’t publicly disclose a bug before it has been fixed.
- Only test for vulnerabilities on sites you know to be operated by Cognism.
- Do not impact other users with your testing.
- Don’t use scanners, scrapers or any other automated tools in your testing.
- Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
- When in doubt, contact us at security@cognism.com.
Rules for us
- We will respond as quickly as possible to your submission.
- We will keep you updated as we work to fix the bug you submitted.
- We will not take legal action against you if you play by the rules.
What does not qualify?
- Bugs that don’t affect the latest version of modern browsers (Chrome, Firefox, Edge, Safari). Bugs related to browser extensions are also out of scope.
- Bugs requiring exceedingly unlikely user interaction.
- Submissions which don’t include steps to reproduce the bug, or only include those steps in video form.
- Insecure cookie settings for non-sensitive cookies.
- Disclosure of public information and information that does not present significant risk.
- Bugs in content/services that are not owned/operated by Cognism.
- Scripting or other automation and brute forcing of intended functionality.
- When in doubt, contact us at security@cognism.com.
Out of Scope
- https://wealth*.cognism.com
- https://content.cognism.com
- https://documentation.cognism.com
- https://www.cognism.com/cognism-signatures
- Clickjacking & Tabnabbing
- https://cognism.com/*
- Rate limit
- Cipher Suite (TLS protocol)
Bug Bounty Awards:
- Critical Severity Vulnerability: $1200
- High Severity Vulnerability: $600
- Medium Severity Vulnerability: $300
- Low Severity Vulnerability: $150