Skip to main content



Coupa Success Portal

Vulnerability Reporting Policy


At Coupa, we recognize the important role that independent security researchers play in keeping the internet secure. Keeping our customers’ data secure is our number-one priority and we encourage responsible reporting of any vulnerabilities that may be found in our site or application. We're committed to working with the security community to verify and respond to any potential vulnerabilities reported to us, and we pledge not to initiate legal action against security researchers for penetrating or attempting to penetrate our systems as long as they adhere to the conditions below.

Testing for Security Vulnerabilities

Only conduct vulnerability testing against trial instances of our online services to minimize the risk to our customers’ data. When testing, we don't allow the following types of security research:

  • Causing, or attempting to cause, a Denial of Service (DoS) condition
  • Accessing, or attempting to access, data or information that does not belong to you
  • Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you

Reporting Potential Vulnerabilities

Privately share details of the suspected vulnerability with us by sending an email to If you want to send an encrypted message, you can use this PGP Key. Provide full details of the suspected vulnerability so our security team can validate and reproduce the issue.

Include the following information:

  • Proof-of-concept and/or URL demonstrating the vulnerability
  • Type of issue (cross-site scripting, buffer overflow, SQL injection, etc.)
  • Any special configuration required to reproduce the issue
  • Impact of the issue, including how an attacker could exploit the issue

Our Security Commitment

To all security researchers who follow this Coupa Vulnerability Reporting Policy, our security team commits to:

  • Respond in a timely manner, acknowledging receipt of your report
  • Provide an estimated time frame for addressing the vulnerability
  • Notify the reporting individual when the vulnerability has been fixed

We take security issues seriously and will respond swiftly to fix verifiable security issues, however some of our products are complex and may take some time to update.


While we appreciate the work done by independent security researchers, we don't offer compensation for reporting a security vulnerability. Any requests for such compensation will be considered a violation of the conditions above. In such an event, Coupa reserves all of its legal rights.

  • Was this article helpful?