Cofense Logo - Email Security Solutions

Responsible Disclosure Policy

Updated: June 27, 2017

At Cofense, Inc., we take the security of our users’ data very seriously. If you have discovered or believe you have discovered potential security vulnerabilities in a Cofense Service or Product, we encourage you to disclose your discovery to us as quickly as possible in accordance with this Responsible Disclosure Policy.

We will work with you to validate and respond to security vulnerabilities that you report to us. Because public disclosure of a security vulnerability could put the entire Cofense’s user community at risk, we require that you keep such potential vulnerabilities confidential until we are able to address them. We will not take legal action against you, provided that you discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy.

Responsible Disclosure Policy

While working to identify security vulnerabilities, Cofense asks that you:

  • Share any issues that you discover with us via [email protected], as soon as is practical
  • Provide Cofense reasonable amount of time to review and address reported issues before making them public (minimum 45 days after verification of vulnerability)
  • Do not attempt to access or modify any user data that is not your own.
  • Please do nothing to degrade the performance of our services (e.g. via automated scanning, brute forcing, or denial of service attacks)
  • Do not post, transmit, upload, link to, send or store malware, viruses or similar harmful software.
  • Report issues defined within scopes below.
  • Check our list of non-qualifying vulnerabilities to make sure that you aren’t spending time chasing down a vulnerability that isn’t going to qualify for our Security Researcher Hall of Fame (bottom of page).


Vulnerabilities affecting the following domains are in scope and may qualify for a bounty:

  • Cofense PhishMe
  • Cofense Triage License Server
  • Cofense ThreatHQ API Server
  • Cofense Reporter

Reporting Security Vulnerabilities

If you believe you have discovered a security vulnerability issue, please share the details with Cofense by sending an email to [email protected]. In reporting a potential security vulnerability issue please include the following:

  • An adequate description and information regarding the security vulnerability that will allow Cofense to reproduce your steps and the issue,
  • Proof of Concept
  • How the attack could be executed in a real world scenario to compromise user accounts or data
  • Your email address
  • Your name and Twitter handle as you would like it to appear in our Security Researcher Hall of Fame (if selected).

Cofense will acknowledge receipt of your report within One Business Day, provide you with an estimated timetable for resolution of the vulnerability, notify you when the vulnerability is fixed, and, with your permission, publicly acknowledge your responsible disclosure.

Qualifying Vulnerabilities

Examples of qualifying vulnerabilities likely to be eligible for Hall of Fame recognition include:

  • Cross-Site Scripting (XSS) affecting supported browsers (Chrome/latest, Firefox/latest, Safari/6, IE/10+)
  • Cross-Site Request Forgery (CSRF)
  • SQL Injection
  • Missing/Broken Authentication
  • Remote Code Execution
  • Privilege Escalation

Non-Qualifying Issues

Not all issues are in the scope of our program, including some issues that may have been accepted by other programs. Please be aware of these non-qualifying issues before beginning your research and submitting any reports.

Examples of non-qualifying vulnerabilities (not eligible for a shout-out in our Hall of Fame) include:

  • Reports from automated tools or scanners
  • Theoretical attacks without actual proof of exploitability
  • Denial of Service attacks
  • Brute force attacks (e.g. on passwords or tokens)
  • Username or email address enumeration
  • Spamming
  • Issues with third-party applications
  • Issues with domains not owned by Cofense Inc (see the scope above)
  • Social engineering of Cofense staff or users
  • Vulnerabilities obtained through compromising Cofense user or employee accounts
  • Attacks involving any user accounts not created by you
  • Physical attacks against Cofense Inc offices or data centers
  • Attacks involving physical access to a user’s device, or involving a device or network that is already seriously compromised (e.g. man-in-the-middle attacks)
  • Missing security headers that do not lead directly to a vulnerability
  • Click-jacking
  • Content Spoofing
  • Cookies missing secure/Http only
  • Bugs that rely on an unlikely user interaction (i.e. the user effectively attacking themselves)
  • Issues related to password and account recovery policies (e.g. password complexity requirements)
  • Issues related to board and organization invitation policies
  • Issues related to having auto-complete enabled (i.e. not explicitly disabled) on password inputs
  • Disclosure of tools, libraries used by Cofense and/or their versions
  • Open redirects on domains other than
  • Issues that are the result of a user doing something silly (like sharing their password publicly)
  • Attacks affecting browsers not explicitly supported by Cofense
  • Issues related to e-mail coming from addresses (e.g. things related to DMARC and SPF)
  • Domain Name System Security Extensions (DNSSEC) configuration suggestions
  • HTTP/HTTPS/SSL/TLS security header configuration suggestions


Researchers that responsibly disclose in accordance with this Responsible Disclosure Policy are eligible for inclusion in our Security Researcher Hall of Fame. Whether or not a security vulnerability report is in compliance with this Responsible Disclosure Policy and a Researcher is eligible for inclusion in our Hall of Fame is in our sole discretion. Cofense does not compensate researchers for identifying potential or confirmed security vulnerabilities. Any requests for monetary compensation or any other type of consideration will be deemed in violation of this Responsible Disclosure Policy.


If you feel the email should be encrypted, our PGP key is available below.

—–BEGIN PGP PUBLIC KEY BLOCK—– Version: GnuPG v2 mQENBFszjSYBCACl1PKqvuctgFz93F8eLfh9E2IFvMmLfaujT22lfFZtetI7Ky2q 4avYrgyuQeU/Jg2FTidM+XIrxYfBIqAwHBmYFBveEGhThYdRbRBwOp3+9IFF36/p yeO7xLOw4/KBBwAty8u6uVwIw0vs7wftDpdhbcILpQF3/V28XLIr1oGQ90ztvRRI Y9kQFkmUTPkTqBXjCVkQE+Xco/t9vtjWl/lDx1St0xNDkg82FPGSK6uUixDYXtEP 9BzaVUH84KejmgTctA2dzgx3doSq9eFWUiI3/otPizv/TErx92FdwVlt7xRYwqt1 PDrVZH4dcRA71QybeGHug3NTfcdi72zxuNn5ABEBAAG0QlNlY3VyaXR5IChDb2Zl bnNlIHNlY3VyaXR5IGdyb3VwIGVtYWlsIGJveCkgPHNlY3VyaXR5QGNvZmVuc2Uu Y29tPokBVQQTAQgAPwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTuaWos PdvmNhybE5D7pL9CX7lQKAUCYGzZxwUJCPuzoQAKCRD7pL9CX7lQKPJYCACIYRkr L/qJLtrI9JfVLcAwSxmZ8JHNYooisPIS8ph4A+0hi8lj+sigQu8IsEbOFNRNeElU QL4GRmnTAnVHYoETaarCkhCGcsslFqmsWVn+m0VImZYezP+XCFFe42yQmXp5Bsh3 mzb5WXg9WKP9DB28yPIat5noRnknunK3BzcGgj4WFeFUK+36pFJWu77BrHUxeeTV 1OfNTEIYJyj7++Oj5RUa5ZeiGQ2Hwt2fuNOOgdNcAXqRAEmpVHP6fEpz+iAS9tkK 89F0lKb76ZgfP4FRyrgpA829AWAzPLZivKo6SZuQ/fZ4A+5AG04Ge0XNvBRsVrGe /HATDJ4f5imVXVO0uQENBFszjSYBCACbrrqUsAqDCmZk86cNxfa/bmw4w09Gi7Tk s+WT9JWqUlpYi2gKEI1rGIDBPQWynrtZANfmo21Ttx2EJ6zHjrVYGJZRw9wLjrB6 Vu/RgVe368tQTV6DfAg7TAsg9eFVWfdQT3D/Iuw0XGuxmkOnbLVrfHjwOpt9OfW/ YEgxCMp5v7QIMcJswcfrIK6IDcUDKIUDGi+Xbvpm12QDxjggJQp/JOmEXSlAN0WQ 19WYtwCBL5i007yQxofWYW9keuf+nQgi1ZI+CYj8T6bjmvV50EHNow1NoUsEkA3G 1oPArTeno44SfPeJ8gFFhIk0KKeONJwNpAUaNMaHy1sfeNZmAPezABEBAAGJATwE GAEIACYCGwwWIQTuaWosPdvmNhybE5D7pL9CX7lQKAUCYGzZ6wUJCPuzxQAKCRD7 pL9CX7lQKGV6B/4/oA3udPzjpqQxwayBgRuikVnSsQl0inD2GNl4WK4DHMwY44im BZJD3y//zGxnBsl3L9F2BS8MNWZ1f52scY9nPW5Ce8xRrI5M3+NQNoClOlJ9JMiU 625F5WColZsn4xlb7PpTl3vx5lK1FezMijp5i6FxIu3xF2hh2NrkzWUx98Lq/2uA ufJF/CpJ3IyzkJmEd3YGld6wO3M0DE0n/++KvOfGBit+7AxA1y2M7KJhIlhbMgSj eDariC+lFAy3f6vD9bwSzqOp1Nh2c6gb26qzT5ZmfS3PV61uMmZ/7dYWxlPF2IFY RfPomkpyi67yeeWGxWbGxOL8ng8IghuGWUaS =/5C3 —–END PGP PUBLIC KEY BLOCK—–

Security Researcher Hall of Fame


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.