Vulnerability management

Source code reviews

Coveo has a strict code review process in place, which leverages both manual and automated security testing (e.g., SAST & DAST) to ensure its software is free of malware in the production environment. Coveo uses a third-party automated vulnerability scanner for code analysis prior to each release. Proprietary code isn’t available to customers for review. Open Source code is publicly available and maintained within Coveo’s GitHub account. Copyright compliance of open source components is verified quarterly.

Responsible disclosure

Coveo prioritizes security and encourages users and members of the broader security community to privately report suspected vulnerabilities. Vulnerabilities can be reported to security[@]coveo.com.

All issues reported to the Coveo security team are investigated promptly in collaboration with the reporter and remediated as quickly as possible. The security team may elect not to disclose information publicly, or to refrain from disclosure until the relevant issues are mitigated and affected customers are notified.

When reporting a security concern, provide as much detail as possible, including:

  • The URL and parameters demonstrating the vulnerability;

  • Your system configuration including any browser or user-agent information;

  • The exact reproduction steps;

  • Your IP address and account, if available, to coordinate with our logs.

If the information is sensitive, ask us for a secure exchange method and don’t send any executable attachments.

Penetration testing and bug bounty program

The Coveo Security Team performs frequent internal penetration tests using a variety of tools. However, these reports can’t be shared with customers.

Coveo maintains an active bug bounty program and generates an annual report of the vulnerabilities discovered by third-party experts. The latest report is available under Coveo’s Non-Disclosure Agreement (NDA).

Coveo accommodates Customers wanting to perform penetration tests on the Coveo Hosted Services. Such tests require specialist technical expertise and shall be pre-approved by the Coveo Security Team.

To request a technical review, Customers must create a support case and provide, at least 7 days prior to the test, the following information:

  • A comprehensive description of the desired tests and test scenarios;

  • A justification for the tests;

  • A desired test date and time fame in EST;

  • A contact person that can be reached at all times during the test and that can immediately terminate the execution of the test;

  • The targeted environment, services, organization, and endpoints.

Performance testing

Coveo commits to conducting performance tests on its Cloud products, therefore ensuring that the expected performances are always achieved. For details regarding the performances you should expect, see your Coveo Customer Agreement.

With Coveo ensuring the smooth functioning of its products, you shouldn’t need to perform stress or benchmark tests. Moreover, per the Coveo Customer Agreement, you may not access Coveo products for purposes of monitoring their availability, performance, or functionality, or for any other benchmarking or competitive purposes without the prior written consent of the Coveo Security Officer. Using any tool designed to automatically emulate the actions of a human user (such tools are commonly called robots) in conjunction with Coveo is also prohibited.

However, if you must conduct such tests for contractual or legal reasons, you’re required to get an authorization from Coveo beforehand. If you fail to do so, you could trigger a throttling process impacting your entire Coveo organization, and Coveo could suspend service provision.

In such case, Coveo only approves reasonable requests.

Example

Your Coveo organization license agreement includes 1,000,000 queries per month (QPM), your Coveo-powered search interface receives 1 query per second (QPS) on average, and you want to see if Coveo can handle 10 QPS for your upcoming year’s sale where your traffic will increase temporarily.

Performance testing authorization process

If you must conduct performance tests for contractual or legal reasons, you’re required to contact Coveo Support at least five business days before the desired test date and time frame. This allows Coveo to monitor the process and ensure that you get the most accurate and relevant results by:

  • Obtaining the required authorizations from the hosting partner Coveo leverages;

  • Providing you with optimal test conditions;

  • Ensuring a contact person will be available for you during the entire testing process;

  • Monitoring the operation for product, service, process, and equipment improvement purposes.

The performance test authorization process goes as follows:

  1. You contact Coveo Support as soon as you know that you’re required to conduct a performance test, and provide the following information:

    • A comprehensive description of the tests you plan to perform;

    • Organization ID;

    • Source IP addresses from which the tests are run;

    • The targeted queries per second (QPS) during the tests;

    • A test justification;

    • The desired test date and time frame in EST (e.g., February 10 between 9 AM to 5 PM EST);

      Note

      A performance test should start and end on the same day.

    • A contact person that can always be reached during the test and that can immediately stop the test.

  2. If additional information is required, Coveo will request it by email.

    Warning

    A Coveo employee will never ask for your password!

  3. If your request is approved, Coveo provides you with a test time window within a few business days.