Details

Security is one of the most important pillars in enabling UiPath's Vision to reboot work, accelerate human achievement and provide a robot for every person. UiPath relies on the expertise of HackerOne's ethical hacker community to find vulnerabilities in our RPA Platform and surrounding ecosystem in order to keep our customers, partners and community users safe from malicious activities. We expect you to comply with the rules presented on this page, acquire a comprehensive understanding on how our platform components and ecosystem work together and submit quality reports if you notice any issue.

Program Rules

If you find a vulnerability on any systems that you feel are part of the UiPath organization, please send us an email at [email protected]
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
Multiple vulnerabilities caused by one underlying issue will be considered as one.
Social engineering or any activity that could lead to social engineering or denial of service (DoS) (e.g. phishing, vishing, smishing) is prohibited.
Only interact with accounts you own or with explicit permission of the account holder and don't jeopardize any UiPath or customer data.
Any activity that could lead to social engineering or denial of service (DoS) issues. Your testing must not violate any law or disrupt or compromise any data that is not your own.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider attack scenario/exploitability, and security impact of the finding. The following issues are considered out of scope:

Clickjacking on pages with no sensitive actions
Unauthenticated / logout / login CSRF
Previously known vulnerable libraries without a working Proof of Concept
Cookie issues relating to SameSite / Secureflag / HttpOnly
Password policy and password lockout related issues
User enumeration
Use of zero day exploits in third-party software
Reports of missing best practices in SSL/TLS configuration
Denial of service (DOS) attacks using automated tools
Issues where by removing the current privileges, the current permissions are active until logout or new session.
HTML injection with no XSS is out of scope because we have many functionalities where HTML is intended to be used.
Retrieving the role information as a low-privileged user.
Retrieving the user list as a low-privileged user.
Retrieving the tenant details and license consumption as a low-privileged user.
External HTTP/DNS interactions where SSRF internal scanning or direct output is not possible.
Leaked credentials for nonsensitive third-party apps.

Please note that we might consider inviting you to our Private Bug Bounty program if we feel that a reported vulnerability has provided good business impact.

Program Rules

If you find a vulnerability on any systems that you feel are part of the UiPath organization, please send us an email at [email protected]

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

Multiple vulnerabilities caused by one underlying issue will be considered as one.

Social engineering or any activity that could lead to social engineering or denial of service (DoS) (e.g. phishing, vishing, smishing) is prohibited.

Only interact with accounts you own or with explicit permission of the account holder and don't jeopardize any UiPath or customer data.

Any activity that could lead to social engineering or denial of service (DoS) issues. Your testing must not violate any law or disrupt or compromise any data that is not your own.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider attack scenario/exploitability, and security impact of the finding. The following issues are considered out of scope:

Clickjacking on pages with no sensitive actions

Unauthenticated / logout / login CSRF

Previously known vulnerable libraries without a working Proof of Concept

Cookie issues relating to SameSite / Secureflag / HttpOnly

Password policy and password lockout related issues

User enumeration

Use of zero day exploits in third-party software

Reports of missing best practices in SSL/TLS configuration

Denial of service (DOS) attacks using automated tools

Issues where by removing the current privileges, the current permissions are active until logout or new session.

HTML injection with no XSS is out of scope because we have many functionalities where HTML is intended to be used.

Retrieving the role information as a low-privileged user.

Retrieving the user list as a low-privileged user.

Retrieving the tenant details and license consumption as a low-privileged user.

External HTTP/DNS interactions where SSRF internal scanning or direct output is not possible.

Leaked credentials for nonsensitive third-party apps.

Please note that we might consider inviting you to our Private Bug Bounty program if we feel that a reported vulnerability has provided good business impact.

UiPath Bug Bounty Program

UiPath Bug Bounty Program

Details

Program Rules

Out of scope vulnerabilities

Program Rules

Out of scope vulnerabilities