Responsible Disclosure Policy
Updated Feb 2, 2023
Although we strive to keep our system secure, we are not naive enough to think that our applications are 100% flawless. We take security issues seriously and respond swiftly to fix verifiable security issues.
We encourage anyone to report security issues to firstname.lastname@example.org.
Who can participate in the program?
Anyone who doesn't work for Union Test Prep who reports a unique security issue in scope and does not disclose it to a third party before we have patched and updated.
How should reports be formatted?
We would like you to format your reports like this:
Name: %name Bug type: %bugtype Domain: %domain Severity: %severity URL: %url PoC: %poc
Which domains are in scope?
Out of scope:
- Any domains that are not listed above
However, if you can prove that a bug under these domains has a significant impact (for example, fetching content on uniontestprep.com from classrooms.uniontestprep.com), a bug on these domains may qualify anyway.
What bugs are eligible?
Any typical web security bugs such as:
- Authentication bypass
- Cross-site request forgery
- Cross-site Scripting
- File inclusion
- Open redirect
- Server-side code execution
What bugs are NOT eligible?
Disruptive bugs or bugs with no/low impact or likelihood such as:
- Brute force attacks
- Denial of service
- Email spoofing, SPF, DMARC & DKIM
- Hardening tips (such as missing CSP header or SRI attribute)
- Missing Cookie flags on non-session cookies or 3rd party cookies Logout CSRF
- Password policy improvements
- Social engineering
- Weak TLS ciphers
Please don't perform research that could impact other users. Secondly, please keep the reports concise. If we fail to understand the logic of your bug, we will tell you.
We reserve the right to discontinue the reward program without previous notice at any time.