Welcome!
We're excited to invite security bug hunters from all backgrounds to help us make Unify a more secure platform for everyone. Your expertise helps us identify vulnerabilities before they can be exploited, and we value your contributions to our security efforts.
Program Scope
We appreciate reports that can help us improve our security posture. Please review the following details carefully before submitting your findings.
In-Scope Assets
Out-of-Scope Assets
- Any services hosted by third parties, unless they impact the security of our primary assets.
- Marketing pages (e.g., blog, landing pages).
- Physical offices and infrastructure.
- Employee social media accounts.
Vulnerabilities We're Interested In
- Cross-Site Scripting (XSS)
- SQL Injection
- Authentication bypass
- Privilege escalation
- Misconfigured access controls
- Remote Code Execution (RCE)
- Security misconfigurations
- Server-side request forgery (SSRF)
- Prompt Injection
- Tenant Isolation
Vulnerabilities Out-of-Scope
- Issues solely affecting outdated browsers
- Missing HTTP security headers (unless they lead to a proven vulnerability)
- Vulnerabilities requiring physical access
- Self-XSS requiring significant user interaction
- Reports from automated tools without clear evidence of impact
- Theoretical vulnerabilities without proof of exploitation
- Denial of Service/Resource Exhaustion
Rewards
We offer bounties based on the severity and impact of the vulnerability:
- Critical: Full system compromise or large-scale breach (CVSS 9.0 - 10.0)
- E.g. Remote Code Execution (RCE), database access, admin panel access
- High: Access to sensitive data or elevated privileges without full compromise (CVSS 7.0 - 8.9)
- E.g. Privilege escalation, significant data exposure, authentication bypass
- Medium: Abuses that require some user interaction or unusual conditions (CVSS 4.0 - 6.9)
- E.g.: Cross-Site Scripting (XSS), CSRF, minor API issues
- Low: Minor misconfigurations or information disclosure (CVSS 0.1 - 3.9)
- E.g.: Information disclosure without direct impact, missing security headers
Note: Reports without clear security implications or that require unrealistic attack scenarios will not be rewarded.
Submission Guidelines
- Duplicates or already identified vulnerabilities are not eligible for rewards
- Provide clear, step-by-step instructions to reproduce the vulnerability
- Include screenshots, videos, or code snippets where possible
- Test only on your own accounts; do not access others' data
- Describe the potential impact and attack scenario
- Be respectful of our users' privacy and our systems' stability
Rate Limits & Testing Constraints
- Limit requests to no more than 10 requests per minute
- Avoid testing that triggers excessive emails or notifications (max 5 per hour)
- Limit login/authentication attempts to 10 per hour
- Avoid any testing that could impact system availability or other users
Our Commitment
- We will acknowledge your report within 5 business days
- A resolution or fix will be implemented based on severity
- We will keep you informed about the status of your report
- We will recognize your contribution if you wish to be acknowledged
Disclosure
Findings may not be publicly disclosed until UnifyGTM confirms remediation or 90 days have elapsed from acknowledgment, whichever comes first.
Legal Safe Harbor
This program follows a "safe harbor" approach. As long as your research is conducted responsibly and within the program's scope, we consider it authorized. If legal questions arise, we'll work with you to understand and resolve them.
Good Faith Clause
(1) Unify will not initiate or support legal action against researchers acting in good faith within program scope, and (2) Unify will not refer reports to law enforcement for good-faith research.
