Security

ISO 27001:2013 Certified

At COINS, one of our foremost priorities is to protect all types of information and data provided by our stakeholders, including clients, employees, partners, government (and regulatory agencies) and suppliers. We hold ISO 27001:2013 (ISO 27001) certification, validated through third-party audit by BSI Group, one of the most respected and reputable management systems certification bodies in the world.

ISO 27001 is one of the most internationally accepted and widely recognised information security standards. It was developed to provide organisations with a framework for establishing processes for implementing, operating, monitoring, reviewing and improving an Information Security Management System (ISMS). Our ISO 27001 certification confirms our ISMS is aligned with international information security best practices and we have the right processes and procedures in place to handle a wide range of information assets. It demonstrates that COINS places a priority on client data protection through implemented controls including security-by-design product development, data encryption, vulnerability management, business continuity, disaster recovery plans and much more.
 

Report a Vulnerability

If you believe you have found a security issue that meets COINS definition of a vulnerability, please submit a report to our security team via one of the methods below:

• If you are a client:
  Submit a support ticket to our Customer Services team
   
• If you are a security researcher:
  Email: security@coins-global.com

Please include the following information in your report:

• Type of issue (cross-site scripting, SQL injection, remote code execution, etc.)
• Product and version with the bug or a URL if dealing with a cloud service
• The potential impact of the vulnerability (i.e. what data can be accessed or modified)
• Step-by-step instructions to reproduce the issue
• Any proof-of-concept or exploit code required to reproduce

Security Researchers

COINS values the members of the independent security research community who find security vulnerabilities and work with COINS so that security fixes can be issued to all customers. COINS does not operate a bounty programme but it is our policy to credit all researchers when a fix for the reported security bug is issued. In order to receive credit, security researchers must follow responsible disclosure practices, including:

• They do not publish the vulnerability prior to COINS releasing a fix for it.
• They do not divulge exact details of the issue, for example, through exploits or proof-of-concept code.

Automated Scanners

We are unable to respond to bulk reports generated by automated scanners.

If you identify issues using an automated scanner, it is recommended that you have a security practitioner review the issues and ensure that the findings are valid before submitting a vulnerability report to COINS.

Definition of a Vulnerability

COINS follows the MITRE.org definition of a security vulnerability which defines a security vulnerability as “a weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, OR availability.

Mitigation of the vulnerabilities in this context typically involves coding changes but could also include specification changes or even specification deprecations (e.g., removal of affected protocols or functionality in their entirety).”

What to expect

• After you have submitted your report, we will respond to your report within 5 working days and aim to triage your report within 10 working days.
• Priority for bug fixes or mitigations is assessed by looking at the impact severity and exploit complexity. Vulnerability reports might take some time to triage or address.
• When the reported vulnerability is resolved, or remediation work is scheduled, COINS will notify you, and invite you to confirm that the solution covers the vulnerability adequately.
• We’ll also keep you informed about our progress throughout the process.