Introduction

At Ubiquiti Inc. ("Ubiquiti"), we take security very seriously, and embrace the security research community. We provide products and services that millions around the world use every day, and understand privacy and security is very important to our customers. Therefore, Ubiquiti offers this Security Reward Program ("Program") to continuously improve the security of our products, while publicly recognizing the security enthusiasts submitting valid issues. If you believe you have found a vulnerability in any of Ubiquiti's products or services, let us know as soon as possible, and we'll do our best to get the issues addressed as quickly as possible.

By clicking "Submit Report", you consent to your information being transferred to and stored in the United States and acknowledge that you have read and accepted the Terms, Privacy Policy and Disclosure Guidelines presented to you when you created your account.

Please read the rules described in this policy carefully. By clicking "Submit Report", you agree to comply with all such rules. Violations of the rules are grounds for immediate forfeiture of any reward as well as possible removal from the Program

General Rules

• This Program is limited strictly to technical vulnerabilities of Ubiquiti products and services.
• Do not exploit, investigate or target vulnerabilities in any other user’s account or Ubiquiti product not owned by you.
• Do not cause harm to Ubiquiti, our customers, or third parties.
• Do not compromise the privacy or safety of our customers and the operation of our services. Any activity that would disrupt, damage or adversely affect any third-party data, account or equipment is not allowed.
• Do not violate any criminal law or other applicable laws.
• Confirm that you are not currently located in or otherwise ordinarily resident of a sanctioned country (for example, Cuba, Iran, North Korea, Sudan, Syria or Crimea) and not on the U.S. Department of the Treasury’s Specially Designated Nationals List.
• You must not be the author of the code with the vulnerability or bug.
• Public disclosure or limited private release of any vulnerability to any other party in violation of the Disclosure Guidelines below will disqualify such vulnerability from consideration.
• Any vulnerability disclosed to any third party that might potentially exploit the vulnerability, including vulnerability brokers, will disqualify such vulnerability from this Program.
• The following are strictly prohibited:
  • Physical attacks on Ubiquiti infrastructure or facilities
  • DOS attacks are not allowed
  • Social engineering attacks or phishing.

Program Scope

The Program encompasses all of Ubiquiti's products. Including, but not limited to:

Web Products

• *.ubnt.com and *.ui.com -- any web applications under ubnt.com or ui.com domains (WWW, SSO Account, etc.).
• Current and future cloud applications
• Exceptions: sites on *.ubnt.com or *.ui.com domains but hosted by a third party are not in scope. For example: training.ui.com (Training) and ir.ui.com (Investor Relations). While we are thankful for any reports against these sites, we are unable to issue rewards

Platform Products

• airMAX, UniFi, UniFi Protect, EdgeMAX, airFiber and UFiber embedded devices
• Distributed Software Platforms -- Any controller software, such as UniFi Network, and others
• Exceptions: any product that’s End-of-Life.

We consider a vulnerability to be an error, flaw, mistake, failure or fault in a computer program or system that impacts the security of a device, system, network or data.

Some examples of vulnerabilities include:

• Remote code execution
• Authentication bypass, unauthorized data access
• SQL injection
• XSS, XSRF, CSRF

You must be the first to report a certain issue. Vulnerabilities eligible for reward or recognition must be new and previously unreported. In the event of duplicate vulnerability submissions, only the earliest submission with sufficient actionable information will be considered for a reward.

In general, any vulnerability may be considered for this Program, however, please see exceptions below.

Exceptions & Additional Rules

• While we encourage any submission affecting the security of Ubiquiti products or platforms, unless evidence is provided demonstrating exploitability, the following examples are excluded from this Program:
  • Clickjacking
  • Issues without clearly identified security impact, missing security headers, or descriptive error messages
  • Missing best practices, information disclosures, use of a known-vulnerable libraries or descriptive / verbose / unique error pages (without substantive information indicating exploitability)
  • Speculative reports about theoretical damage without concrete evidence or some substantive information indicating exploitability
  • Forms missing CSRF tokens without evidence of the actual CSRF vulnerability
  • Self-exploitation (e.g., cookie reuse)
  • Reports of insecure SSL / TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)
  • Our policies on presence/absence of SPF / DMARC records
  • Password complexity requirements, account/e-mail enumeration, or any report that discusses how you can learn whether a given username or email address has a Ubiquiti-related account
  • Missing security-related HTTP headers which do not lead directly to a vulnerability, including but not limited to X-Xss-Protection, X-Content-Type-Options, Content-Security-Policy-Report-Only, etc.
  • Self XSS vulnerabilities without evidence on how the vulnerability can be used to attack another user
  • Presence of autocomplete attribute on web forms
  • Missing secure cookie flags on non-sensitive cookies
  • Banner identification issues
  • Open ports which do not lead directly to a vulnerability
  • Open redirect vulnerabilities
  • Publicly accessible login panels
  • Content spoofing / text injection
  • Any vulnerability that makes use of Spanish Inquisition, we aren’t expecting that!

Reporting Template

Please be aware that the quality of your report is critical to our evaluation of your submission. We encourage you to use the list below as a template for your report. This does NOT mean you need to fully exploit the issue, just provide the information with as much detail as possible.

• State the name of the applicable product or platform, including the version numbers.
• Describe the type of issue with as much detail as possible.
• What are all the steps required to reproduce the issue?
• What is the impact of your issue?
• What are some scenarios where an attacker would be able to exploit this vulnerability? A proof of concept or functional exploit code would be helpful.
• If available, what would be your recommended fix?

Rewards

Rewards may vary depending on the application, the risk, complexity, impact and overall severity of the vulnerability. The internal criteria that we use to determine a reward is subject to change from time to time. Historical rewards paid for a vulnerability report does not indicate and will not be used as a basis to determine future payout for vulnerability of a similar type.

Our reward panel will review each vulnerability submission for eligibility and final reward consideration. Final reward amounts are at the sole and final discretion of Ubiquiti's reward panel. In some instances, our reward panel may choose higher rewards for unusually major, clever or complex vulnerability submissions.

If we receive several reports for the same issue, we offer the reward to the earliest report for which we have enough actionable information to identify the issue.

If a single fix resolves multiple vulnerabilities, we treat this as a single vulnerability, which will receive a single bounty.

Rewards may be reduced or declined if there is evidence of abuse, such as data exfiltration or withholding reports in order to chain multiple issues together.

PLEASE NOTE: For eligible vulnerability submissions, 100% of the reward amount will be paid after Ubiquiti has an opportunity to evaluate and confirm the eligibility of the submitted issues. In some very specific cases, 50% of the reward will be paid after vulnerability is confirmed and remaining 50% will be paid when the fix for the vulnerabilities (confirmed by both you and Ubiquiti) is publicly released.

Rewarding Formula

Starting on August 1st, 2020, all-new reports will be based on the following rules.

Base Formula: (3^(x,x-1))*(AV/(3^9))

Where "x,x" is the CVSS score and maximum bounty is AV limit USD

Payment Limits:

Limits will be applied based on Attack Vector rules: Limit 1 (Physical) = 1,000 Limit 2 (Local)= 2,500 Limit 3 (Adjacent)= 4,000 Limit 4 (LAN Side) = 8,000 Limit 5 (WAN Side) = 25,000 Limit 6 (Ubiquiti Cloud) = 30,000

Decrease Bounty Drivers:

Privileges Required High = Base Score / 6 Low = Base Score / 2

User Interaction Required = Base Score / 4

Example: UI + Priv(L)(H) = (Score/4) /2 or /6

• LAN Side (Internal Network) Applies to all reports involving devices or services that are not directly accessible from the Internet, or that are intended to operate only within a local network. Examples: Switches, Access Points, NAS, NVR, Cloud Keys, UniFi Protect, UniFi Connect, UniFi Talk, and UniFi Access devices.

• WAN Side (Internet) Applies to all reports originating from or accessible via the Internet, excluding the devices listed under LAN Side that are designed exclusively for local network operation.

Recognition

Ubiquiti may publish a leaderboard of vulnerability reporters based on previous security vulnerability and bug reports. These previous reporters may receive special access to Ubiquiti engineers. If you wish to remain anonymous to the public, we will honor your request.

Disclosure Guidelines

Guidelines for Web Products:

We ask you to please wait until thirty (30) days after the vulnerability relating to the Web Products is fixed and the fix is publicly released before any disclosure.

When the completion date of a fix is not yet available or cannot be ascertained, we ask you to give us time to remediate the issue and refrain from any public disclosure.

Guidelines for Platform Products:

Because the users of our Platform Products have exclusive control over their devices, HackerOne’s disclosure guidelines shall not apply with respect to any vulnerabilities submitted in relation to our Platform Products.

The disclosure guidelines for vulnerabilities submitted in relation to our Platform Products are determined by reference to the significance of the vulnerability (as determined in the sole and absolute discretion of Ubiquiti), as follows:

• Minor issues: Limited disclosure (i.e., a summary written by Ubiquiti) is allowed 60 days after we publicly release the security fix.
• Significant, but non-critical issues: Limited disclosure (i.e., a summary written by Ubiquiti) is allowed 120 days after we publicly release the security fix.
• Critical issues: Limited disclosure (i.e., a summary written by Ubiquiti) may be allowed on a case-by-case determination after we publicly release the security fix.

All disclosure shall be limited to a summary of the relevant vulnerabilities written by Ubiquiti. Full disclosure of the submitted report or the underlying vulnerabilities relating to the Platform Products is not allowed under any circumstances.

Posting details or conversations about the vulnerabilities in violation of the disclosure guidelines reflects poorly on this Program and jeopardize the security and privacy of our customers. VIOLATION OF THE DISCLOSURE GUIDELINES ABOVE WILL RESULT IN FORFEITURE OF ANY REWARD AND/OR IMMEDIATE REMOVAL FROM THIS PROGRAM.

Legal

Ubiquiti reserves the right to modify this policy or terminate this Program at any time and for any reason.

You hereby represent and warrant that all submissions are your original work and you own all right, title and interest therein and thereto. You grant Ubiquiti and its affiliates a worldwide, perpetual, irrevocable, non-exclusive, transferable, fully paid and royalty-free license under any intellectual property rights or other rights to use, copy, modify, create derivative works based upon and otherwise exploit the materials submitted by you.

All reward payments are subject to compliance with local laws, rules and regulations. Before you receive your reward, we may require that you sign an affidavit of eligibility, a questionnaire, and a release of liability. You will be solely responsible for all applicable taxes relating to any reward under this Program.

Any information you receive or collect about Ubiquiti, its affiliates or any of their customers, employees or agents in connect with this Program ("Confidential Information") must be kept confidential and only used in connection with this Program. You may not use, disclose or distribute any such Confidential Information without Ubiquiti’s prior written approval.