Source Code Reviews
Coveo has a strict code review process in place, which leverages both manual and automated security testing (e.g., SAST & DAST) to ensure its software is free of malware in the production environment. Coveo uses a third-party automated vulnerability scanner for code analysis prior to each release. Proprietary code isn’t available to customers for review. Open Source code is publicly available and maintained within Coveo’s GitHub account. Copyright compliance of open source components is verified quarterly.
Coveo prioritizes security and encourages users and members of the broader security community to privately report suspected vulnerabilities. Vulnerabilities can be reported to security[@]coveo.com.
All issues reported to the Coveo security team are investigated promptly in collaboration with the reporter and remediated as quickly as possible. The security team may elect not to disclose information publicly, or to refrain from disclosure until the relevant issues are mitigated and affected customers are notified.
When reporting a security concern, provide as much detail as possible, including:
The URL and parameters demonstrating the vulnerability.
Your system configuration including any browser or user-agent information.
The exact reproduction steps.
Your IP address and account, if available, to coordinate with our logs.
If the information is sensitive, ask us for a secure exchange method and don’t send any executable attachments.
Penetration Testing and Bug Bounty Program
The Coveo Security Team performs frequent internal penetration tests using a variety of tools. However, these reports can’t be shared with customers.
Coveo maintains an active bug bounty program and generates an annual report of the vulnerabilities discovered by third-party experts. The latest report is available under Coveo’s Non-Disclosure Agreement (NDA).
Coveo accommodates Customers wanting to perform penetration tests on the Coveo Hosted Services. Such tests require specialist technical expertise and shall be pre-approved by the Coveo Security Team.
To request a technical review, Customers must create a support case and provide, at least 7 days prior to the test, the following information:
A comprehensive description of the desired tests and test scenarios
A justification for the tests
A desired test date and time
A contact person that can be reached at all times during the test and that can immediately terminate the execution of the test
The targeted environment, services, organization and endpoints
Coveo commits to conducting performance tests on its Cloud products, thus ensuring that the expected performances are achieved at all times. For details regarding the performances you should expect, see your Coveo Customer Agreement.
With Coveo ensuring the smooth functioning of its products, you shouldn’t need to perform stress or benchmark tests. Moreover, as per the Coveo Customer Agreement, you may not access the Coveo Cloud products for purposes of monitoring their availability, performance, or functionality, or for any other benchmarking or competitive purposes without the prior written consent of the Coveo Security Officer. Using any tool designed to automatically emulate the actions of a human user (such tools are commonly referred to as robots) in conjunction with the Coveo Cloud is also prohibited.
However, if you must conduct such tests for contractual or legal reasons, you’re required to obtain an authorization from Coveo beforehand. If you fail to do so, you could trigger a throttling process impacting your entire Coveo Cloud organization, and Coveo could suspend service provision.
Performance Testing Authorization Process
If you must conduct performance tests for contractual or legal reasons, you’re required to contact Coveo Support at least five business days before the desired test date. This allows Coveo to monitor the process and ensure that you get the most accurate and relevant results by:
Obtaining the required authorizations from the hosting partner Coveo leverages.
Providing you with optimal test conditions.
Ensuring a contact person will be available for you during the entire testing process.
Monitoring the operation for product, service, process, and equipment improvement purposes.
The performance test authorization process goes as follows:
You contact Coveo Support as soon as you know that you’re required to conduct a performance test, and provide the following information:
A comprehensive description of the tests you plan to perform (see Which tests require an authorization from Coveo?)
A clear mention of the targeted environments (see Which environments can be tested?)
Organization ID (see Review Organization Information Such As the Organization ID)
Source IP addresses from which the tests are run
A test justification
The desired test date
A contact person that can be reached at all times during the test and that can immediately stop the test.
If additional information is required, Coveo will request it by email.
A Coveo employee will never ask for your password!
If your request is approved, Coveo provides you with an authorization number and a test time window within a few business days.