Our commitment
We welcome reports from security researchers who identify vulnerabilities in good faith. When you report an issue responsibly, we commit to:
- Acknowledge your report within 5 business days
- Investigate and assess the reported issue
- Keep you informed of our progress
- Credit your contribution publicly upon request, once the issue is resolved
How to report
Send your report to
security@mycoachoffice.com
Please include:
- A clear description of the vulnerability
- Steps to reproduce
- Potential impact
- Any supporting evidence (screenshots, proof of concept)
Scope
In scope
- mycoachoffice.com and its subdomains
- The My Coach Office web application
Out of scope
- Third-party services or integrations not under our control
- Social engineering attacks
- Denial of service attacks
- Automated scanning that impacts platform availability
Guidelines
We ask that you:
- Do not access, modify, or delete data that does not belong to you
- Do not disrupt the platform or its users
- Allow us a reasonable remediation window of 30 days before public disclosure
- Act in good faith and with the intent to improve security
What we offer
My Coach Office does not operate a paid bug bounty program. We are an independent SaaS platform run by a small team.
We do offer
- Written acknowledgement of your contribution
- Public credit on our security acknowledgements page (upon request)
We do not offer
- Monetary compensation
Public disclosure
We support coordinated disclosure. If you have reported a vulnerability and have not received a response within 10 business days, you may proceed with public disclosure. We ask that you notify us before publishing.