Security is one of the most important pillars in enabling UiPath's Vision to reboot work, accelerate human achievement and provide a robot for every person. UiPath relies on the expertise of HackerOne's ethical hacker community to find vulnerabilities in our RPA Platform and surrounding ecosystem in order to keep our customers, partners and community users safe from malicious activities. We expect you to comply with the rules presented on this page, acquire a comprehensive understanding on how our platform components and ecosystem work together and submit quality reports if you notice any issue.

Program Rules

• If you find a vulnerability on any systems that you feel are part of the UiPath organization, please send us an email at [email protected]
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• Multiple vulnerabilities caused by one underlying issue will be considered as one.
• Social engineering or any activity that could lead to social engineering or denial of service (DoS) (e.g. phishing, vishing, smishing) is prohibited.
• Only interact with accounts you own or with explicit permission of the account holder and don't jeopardize any UiPath or customer data.
• Any activity that could lead to social engineering or denial of service (DoS) issues. Your testing must not violate any law or disrupt or compromise any data that is not your own.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider attack scenario/exploitability, and security impact of the finding. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions
• Unauthenticated / logout / login CSRF
• Previously known vulnerable libraries without a working Proof of Concept
• Cookie issues relating to SameSite / Secureflag / HttpOnly
• Password policy and password lockout related issues
• User enumeration
• Use of zero day exploits in third-party software
• Reports of missing best practices in SSL/TLS configuration
• Denial of service (DOS) attacks using automated tools
• Issues where by removing the current privileges, the current permissions are active until logout or new session.
• HTML injection with no XSS is out of scope because we have many functionalities where HTML is intended to be used.
• Retrieving the role information as a low-privileged user.
• Retrieving the user list as a low-privileged user.
• Retrieving the tenant details and license consumption as a low-privileged user.
• External HTTP/DNS interactions where SSRF internal scanning or direct output is not possible.
• Leaked credentials for nonsensitive third-party apps.

Please note that we might consider inviting you to our Private Bug Bounty program if we feel that a reported vulnerability has provided good business impact.