Coda

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
https://*.coda.io/* URL low low low medium
https://airflow-prod.coda.io/* URL low low low medium
https://airflow-prod.ops.coda.io/* URL low low low medium
https://coda.io/* URL critical
https://data.coda.io/* URL low low low medium
https://head.coda.io/* URL low low low medium
https://infra.coda.io/* URL low low low medium
https://shiny.ops.coda.io/* URL low low low medium
https://staging.coda.io/* URL low low low medium
https://user-profile-prod.coda.io/* URL low low low medium
https://user-profile-test.coda.io/* URL none low none low
https://coda.io/signup/email URL critical
Please use your HackerOne designated email when signing up (**`@wearehackerone.com`**), and furthermore please avoid any automated testing or brute-forcing as that may lead to your accounts or IP getting locked out and also create issues on our end.
Coda Chrome Extension OTHER low low medium high
Link: https://chrome.google.com/webstore/detail/coda-browser-extension/cdgkmagmdldlpiglliebaajdpdkigcbi?hl=en
io.coda APPLE_STORE_APP_ID critical
Link: https://apps.apple.com/us/app/coda/id1397968110 Coda's native apps make heavy use of the same endpoints and UX that's used by the mobile website. That being said, there are some differences and we invite security reports pertaining to our iOS and Android apps. Please be sure to follow the same guidelines for setting up an account in our mobile apps as on https://coda.io.
io.coda.codaapp GOOGLE_PLAY_APP_ID critical
Link: https://play.google.com/store/apps/details?id=io.coda.codaapp Coda's native apps make heavy use of the same endpoints and UX that's used by the mobile website. That being said, there are some differences and we invite security reports pertaining to our iOS and Android apps. Please be sure to follow the same guidelines for setting up an account in our mobile apps as on https://coda.io.

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
status.coda.io URL none