Contact us

Responsible Disclosure Process

At COERA, we prioritize the security and privacy of our systems, services, and users. We value the contributions of ethical security researchers and others who help us improve our security posture. This policy outlines how to report security vulnerabilities responsibly and what you can expect from us in return.

Who Can Report

This policy is open to:

  • External security researchers
  • Customers and partners
  • Employees and contractors of COERA

What to Report

We encourage you to report:

  • Vulnerabilities in our public-facing websites, applications, or APIs
  • Security weaknesses that could impact data confidentiality, integrity, or availability
  • Misconfigurations or data exposure risks

Please do not attempt:

  • Social engineering attacks
  • Denial-of-service testing
  • Physical security breaches
  • Accessing or modifying data that is not your own

How to Report

To report a security issue, please email us at security@co-era.com with the following details:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Any relevant evidence (e.g., screenshots, logs, proof-of-concept)

You may choose to remain anonymous or include your contact information if you'd like to be eligible for a symbolic reward.

Our Commitment

When you report a vulnerability:

  • We will acknowledge receipt within 3 business days
  • We will investigate and respond with our assessment and actions within a reasonable timeframe
  • We will keep you updated as appropriate
  • We will not take legal action against you if you act in good faith within the scope of this policy

Recognition and Rewards

As a token of our appreciation, eligible reporters may receive a symbolic reward, such as a limited edition item branded with the COERA logo. This reward is discretionary and not monetary. Recognition may also be given in our public "Hall of Thanks" (with your consent).

Safe Harbour

This policy provides legal safe harbor for security researchers who:

  • Follow this policy in good faith
  • Do not exploit or exfiltrate data
  • Cease testing once a vulnerability is found
  • Do not publicly disclose details before resolution without coordination