Last updated December 2021
At Unbabel Inc. we believe in the importance of securing our products and services and we appreciate the efforts and transparency of the security research community in reporting us vulnerabilities that may have slipped past us during the security testing activities of development and testing stages. Should you find a vulnerability in one of our systems, we would prefer to hear about it as soon as possible so that we can take measures to protect our customers, editor community and staff.
1. Rules of Engagement (RoE)
The RoE we require from you, as a security research/ethical hacker, are the following:
- Use solely the firstname.lastname@example.org channel to report vulnerability information to us;
- Keep information about any vulnerabilities you’ve discovered confidential between yourself and Unbabel until we’ve had 90 days to resolve the issue;
- We do not allow authenticated testing and therefore cannot provide credentials;
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems (e.g. deliberate denial of service attacks), and destruction of data during security testing, including avoiding the exploitation of actual vulnerabilities that may directly or indirectly harm Unbabel or any interested party;
2. How to report
You can report vulnerabilities to us via email@example.com. Please always include a description of the vulnerability itself, where exactly did you identify this vulnerability, evidence of the issue (if applicable; screenshots, videos and similar are encouraged), as well as steps explaining how to replicate the vulnerability (we cannot reward nor acknowledge vulnerabilities we cannot verify).
3. Our commitment
If you follow these guidelines when reporting an issue to us, we commit to:
- Not pursuing or supporting any legal action related to your research;
- Working with you to understand and resolve the issue quickly (including an initial confirmation of your report within 5 working days of submission);
- Compensating you appropriately according to the severity of the vulnerability as determined by our internal triage results.
- To provide compensation we require security researchers/ethical hackers to sign a non-disclosure agreement (NDA), produce an invoice for our US-based headquarters and sign a US tax declaration form.
This program is not intended for reporting complaints. It is also not intended for:
- Reporting problems that are already known to us.
- Reporting that our website or a given service of ours is not available, or DDoS attacks.
- Reporting error messages that do not contain sensitive information or any error behavior which does not pose a security risk.
- Reporting phishing emails.
- Reporting fraud.