Responsible Disclosure Policy

At Unframe, we take the security of our systems seriously. We value the contributions of the security community and welcome reports from ethical hackers and researchers who help us keep our users safe.

‍

This Responsible Disclosure Policy (the "Policy") outlines how to report potential security vulnerabilities to Unframe and what you can expect from us in return.

‍

By submitting a vulnerability report to Unframe, you acknowledge that you have read, understood, and agree to abide by this Policy. Unframe will not pursue legal action against individuals who discover and report vulnerabilities in accordance with these guidelines.

‍

If you have discovered a potential security vulnerability, we encourage you to report it to us responsibly.

‍

Scope

‍

This policy applies to:

• Any vulnerabilities in our public-facing services, applications, APIs, and infrastructure.
• Only vulnerabilities that have not been publicly disclosed or exploited.
• Activities conducted in good faith and within the guidelines of this policy.
  

Guidelines for Responsible Disclosure

‍

To protect our users and systems, we ask you:

1. Act in Good Faith – Avoid violating privacy, destroying data, or interrupting our services.
2. Do Not Exploit – Do not use the vulnerability to access, modify, or delete data, or to pivot to other systems.
3. Avoid User Impact - Strive to prevent privacy violations, degradation of user experience, or disruption of system availability.
4. Practice Minimal Access – If you inadvertently access non-public data, limit exposure to the minimum amount necessary to report the vulnerability.
5. Do Not Share Confidential Information – Keep all information about the vulnerability confidential until it has been resolved.
6. Provide a Detailed Report – Include steps to reproduce, affected endpoints/systems, potential impact, and suggested remediation if available.
7. Allow time for Resolution – Allow a reasonable time frame (we aim to respond within 7 business days and fix critical issues as quickly as possible) before disclosing it publicly.
   

What You Can Expect from Us

‍

• No Legal Action – If you act in accordance with this policy, we will not pursue legal action against you.
• Acknowledgement – We will acknowledge your report and keep you informed of progress.
• Recognition – With your permission, we may credit you for the discovery.
• Confidentiality – We will keep your personal information confidential unless required by law or you give us permission to disclose it.

Out of Scope Vulnerabilities

‍

The following are typically not considered in scope unless they present a clear security risk:

• Clickjacking on non-sensitive pages.
• Missing security headers without proven impact.
• Rate limiting or brute-force protection on non-authentication endpoints.
• Reports from automated scanning tools without clear exploitability.
• Third-party services or applications that Unframe uses but does not control.
• Physical facilities, social engineering, or phishing attempts against our staff.
• Network denial of service testing.
• Unframe employees' personal accounts.
• Hosted services of Unframe clients.

How to Report

‍

Once you locate a vulnerability, please report it to our security team by sending your report to: cybersecurity@unframe.ai. Please include a detailed explanation of how the vulnerability was found, including reproducible steps, and clear evidence (such as screenshots, video, or command lines).

‍

Once your report has been submitted, our security team will reach back [within ___ days] and acknowledge that they have received the report. If needed, they may request additional information, or clarifications. When the investigation process of the reported vulnerability has been concluded, our security team will reach out communicate any appropriate information and details on the investigation and vulnerability back to you, and to any other relevant parties.  

‍

Confidentiality Requirements

‍

Any information you receive or collect about Unframe, its systems, clients, or employees during your security research must be kept strictly confidential. This includes:

• Details about discovered vulnerabilities.
• System architecture information.
• User data encountered during research.
• Communication with our security team.
• Remediation plans or timelines.

You may not use, disclose, or distribute any confidential information without prior written consent from Unframe. This confidentiality requirement extends beyond the resolution of any reported vulnerability.

‍

We expect all security researchers to destroy any collected data or information once the vulnerability has been reported and resolved.

‍

Legal Safe Harbor

‍

To encourage good-faith security research, Unframe commits that we will not initiate legal action for security research conducted in good faith compliance with this policy.

This safe harbor is strictly conditional upon:

• Full compliance with all aspects of this policy.
• No data destruction, exfiltration, or service disruption.
• Prompt and confidential reporting of discovered vulnerabilities.
• No public disclosure until we've addressed the vulnerability.

Miscellaneous

‍

Unframe reserves the right to amend this Policy at any time. Changes will be posted to our website with an updated effective date. Continued participation in our vulnerability disclosure program following such changes constitutes acceptance of the revised Policy.

‍

Unframe reserves all legal rights for activities conducted outside this policy's guidelines.

If in doubt, please contact us first.

‍