Vulnerability management

This is for:

System Administrator

Source code reviews

Coveo has a strict code review process in place that leverages both manual and automated security testing, such as static application security testing (SAST) and dynamic application security testing (DAST). This makes sure that Coveo software is free of malware in the production environment. Coveo uses a third-party automated vulnerability scanner for code analysis before each release. Proprietary code isn’t available to customers for review. Open source code is publicly available and maintained within Coveo’s GitHub account. Copyright compliance of open source components is verified quarterly.

Responsible disclosure

Coveo prioritizes security and encourages users and members of the broader security community to privately report suspected vulnerabilities. Vulnerabilities can be reported to security[@]

All issues reported to the Coveo Security team are investigated promptly in collaboration with the reporter and remediated as quickly as possible. The security team may elect not to disclose information publicly, or to refrain from disclosure until the relevant issues are mitigated and affected customers are notified.

When reporting a security concern, provide as much detail as possible, including:

  • The URL and parameters demonstrating the vulnerability;

  • Your system configuration including any browser or user-agent information;

  • The exact reproduction steps;

  • Your IP address and account, if available, to coordinate with our logs.

If the information is sensitive, ask us for a secure exchange method and don’t send any executable attachments.

Penetration testing and bug bounty program

The Coveo Security team performs frequent internal penetration tests using a variety of tools. However, these reports can’t be shared with customers.

Coveo maintains an active bug bounty program and generates an annual report of the vulnerabilities discovered by third-party experts. The latest report is available under Coveo’s Non-Disclosure Agreement (NDA).

Coveo accommodates Customers wanting to perform penetration tests on the Coveo Hosted Services. Such tests require specialist technical expertise and should be pre-approved by the Coveo Security team.

To request a technical review, Customers must contact Coveo Support and provide, at least 7 days before the test, the following information:

  • A comprehensive description of the desired tests and test scenarios;

  • A justification for the tests;

  • A desired test date and time fame in EST (for example, February 10 between 9 AM to 5 PM EST);

  • A contact person that can be reached at all times during the test and that can immediately end the execution of the test;

  • The targeted environment, services, organization, and endpoints.

Performance testing

Coveo commits to conducting performance tests on its Cloud products, therefore ensuring that the expected performances are always achieved. For details regarding the performances you should expect, see your Coveo Customer Agreement.

With Coveo ensuring the smooth functioning of its products, you shouldn’t need to perform stress or benchmark tests. Per the Coveo Customer Agreement, you may not access Coveo products for purposes of monitoring their availability, performance, or functionality without the prior written consent of the Coveo Security Officer. Similarly, any other benchmarking or competitive purposes also require this written consent. Using any tool designed to automatically emulate the actions of a human user (such tools are commonly named robots) in conjunction with Coveo is also prohibited.

However, if you must conduct such tests for contractual or legal reasons, you’re required to get an authorization from Coveo beforehand. Failure to receive authorization could trigger a throttling process impacting your entire Coveo organization, and Coveo could suspend service provision. Coveo will consider approving reasonable requests.


Your Coveo organization license agreement includes 1,000,000 queries per month (QPM), your Coveo-powered search interface receives 1 query per second (QPS) on average, and you want to see if Coveo can handle 10 QPS for your upcoming year’s sale where your traffic will increase temporarily.

Performance testing and query throughput guidelines

To ensure a seamless experience and maintain optimal system performance, it’s important to understand our policies regarding query throughput and performance testing. This information outlines the maximum query rates allowed, the duration of load tests, and the frequency of performance tests.

  • Unless previously agreed through contract or other means, any testing that requires over 10 queries per second (QPS) must be communicated to Coveo in writing, via a Coveo Support case. 10 QPS or less throughput is considered normal traffic.

  • The maximum number of QPS allowed is based on your queries per month (QPM) entitlement. The absolute maximum throughput that Coveo will accept is 500 QPS.

    QPM entitlement Maximum QPS allowed

    1,000,000 or less


    From 1,000,001 to 3,000,000


    From 3,000,001 to 5,000,000


    From 5,000,001 to 10,000,000


    10,000,001 or more


  • The maximum load test duration is six hours. This is equal to about half a business day’s duration. Past that duration, queries will be throttled.

  • Performance tests are limited to a maximum of one per quarter.

  • All queries performed during performance tests are computed against your QPM entitlement.

Performance testing authorization process

If you must conduct performance tests for contractual or legal reasons, you’re required to contact Coveo Support at least five business days before the desired test date and time frame. This allows Coveo to monitor the process and make sure that you get the most accurate and relevant results by:

  • Obtaining the required authorizations from the hosting partner Coveo leverages;

  • Providing you with optimal test conditions;

  • Ensuring a contact person will be available for you during the entire testing process;

  • Monitoring the operation for product, service, process, and equipment improvement purposes.

The performance test authorization process goes as follows:

  1. You contact Coveo Support as soon as you know that you’re required to conduct a performance test, and provide the following information:

    • A comprehensive description of the tests you plan to perform;

    • Organization ID;

    • Source IP addresses from which the tests are run;

    • A justification for the test;

    • The desired test date and time frame in EST (for example, February 10 between 9 AM to 3 PM EST);


      A performance test should start and end on the same day.

    • A contact person that can always be reached during the test and that can immediately stop the test.

  2. If more information is required, Coveo will request it by email.


    A Coveo employee will never ask for your password!

  3. If your request is approved, Coveo provides you with a test time window within a few business days.