Responsible Disclosure
Last updated December 2021
At Unbabel Inc. we believe in the importance of securing our products and services and we appreciate the efforts and transparency of the security research community in reporting us vulnerabilities that may have slipped past us during the security testing activities of development and testing stages. Should you find a vulnerability in one of our systems, we would prefer to hear about it as soon as possible so that we can take measures to protect our customers, editor community and staff.
1. Rules of Engagement (RoE)
The RoE we require from you, as a security research/ethical hacker, are the following:
- Use solely the security@unbabel.com channel to report vulnerability information to us;
- Keep information about any vulnerabilities you’ve discovered confidential between yourself and Unbabel;
- We do not allow authenticated testing and therefore cannot provide credentials;
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems (e.g. deliberate denial of service attacks), and destruction of data during security testing, including avoiding the exploitation of actual vulnerabilities that may directly or indirectly harm Unbabel or any interested party;
2. How to report
You can report vulnerabilities to us via security@unbabel.com. Please always include a description of the vulnerability itself, where exactly did you identify this vulnerability, evidence of the issue (if applicable; screenshots, videos and similar are encouraged), as well as steps explaining how to replicate the vulnerability (we cannot reward nor acknowledge vulnerabilities we cannot verify).
3. Our commitment
If you follow these guidelines when reporting an issue to us, we commit to:
- Not pursuing or supporting any legal action related to your research;
- Working with you to understand and resolve the issue quickly including a) confirming receipt of report within 5 days of submission and b) providing our conclusion on the report within 90 days of the receipt of report;
- Compensating you appropriately according to the severity of the vulnerability as determined by our internal triage results.
- To provide compensation we require security researchers/ethical hackers to sign a non-disclosure agreement (NDA), provide a copy of valid identification, produce an invoice for our US-based headquarters and sign a US tax declaration form.
4. Exclusions
This program is not intended for reporting complaints. It is also not intended for:
- Reporting problems that are already known to us.
- Reporting that our website or a given service of ours is not available, or DDoS attacks.
- Reporting error messages that do not contain sensitive information or any error behavior which does not pose a security risk.
- Reporting phishing emails.
- Reporting fraud.