Uniti Group Inc. is excited to announce that, as of August 1st, 2025, we have completed our merger with Windstream. Both heritage Uniti (now Uniti Group LLC) and Windstream are now wholly owned subsidiaries under the Uniti brand. This important milestone allows us to strengthen our commitment to security and reliability across all our systems and services.

To our valued ethical hackers and threat researchers: As we integrate the strengths of both organizations, your expertise and vigilance in identifying vulnerabilities is more vital than ever. We invite you to partner with us in ensuring the safety and resilience of our expanded network. Thank you for your ongoing contributions to our security program.

Uniti is proud to partner with the HackerOne community and to continue its vulnerability hunting program. At Uniti, we take the security of our systems and networks very seriously, and we value the input of ethical security researchers to assist us in maintaining high standards for the security of our systems and customers’ information. If you believe you have identified a potential security vulnerability, please share it with us by following the submission procedures below.

If you are new to our Program, please be sure to review prior to making a submission.

Program Scope

This Policy applies to the following systems and services: •uniti.com •unitiwholesale.com •solutions.uniti.com •my.gokinetic.com • gokinetic.com • windstream.com • .windstream.com • windstream.net • .windstream.net • we.windstream.com • windstreamenterprise.com • windstreamwholesale.com

Any services not expressly listed above are excluded from the scope of this Program and not authorized for testing or research. In the event you find vulnerabilities in systems from our customers or vendors, please report those directly to the customer or vendor according to their disclosure policies.

Submission Procedures:

Your submission report must contain a detailed description of the discovered vulnerability and steps to reproduce it (the “Submission”). At minimum, your Submission must include the following: • Application, service, product, or system where the vulnerability was discovered • Vulnerability class or type • Possible security impacts • Steps to reproduce the vulnerability • Suggested vulnerability mitigation or remediation

Uniti will acknowledge receipt of all Submissions within two days of submission and will inform the submitting party of the status of any validated vulnerability reported through this Program.

Program Guidelines

To encourage vulnerability research and to avoid any confusion between ethical security research and malicious attacks, ethical security researchers must follow this Program and all applicable state, federal, and local laws, regulations, ordinances, or orders. Additionally, you must comply with the following: • Report any vulnerability promptly; • Avoid violating the privacy of others, disrupting Uniti systems, destroying Uniti data, and/or harming user experience; • Perform testing only on in-scope systems and respect systems and activities that are out-of-scope; • Refrain from social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing; • Do not store, share, compromise or destroy Uniti or user data. If you gain unintended access to data, limit the amount of data you access to the absolute minimum required for effectively demonstrating a Proof of Concept; cease testing; purge user data and submit a report to Uniti immediately, noting the unintended data access; User data includes, but is not limited to, customer and employee data, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or other proprietary information; • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact; • When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced); • Multiple vulnerabilities caused by one underlying issue will be treated as one valid report; • Only interact with test accounts you own or with explicit permission from the account holder; and • Do not engage in extortion; • If you detect the same bug on a different (unique) host before the report reaches triage for our .net assets, we will notify the customer. It is important to note that some subnets of the .net environment may be managed by the customer, meaning remediation is solely their responsibility. Therefore, confirmation of remediation completion may not be provided by Uniti. These reports will be marked as resolved. Please allow ‘Company ABC’ ample time to patch other instances of the host. Any future submission involving the same bug on the same host later will be considered as duplicate. If you encounter multiple hosts with the same bug under the same domain, please consolidate them into one report per domain. Instances of the same bug on different hosts within the same domain are considered as one report.

By providing a Submission:

• You certify that you have complied with the provisions of this Program set forth here and all applicable laws, statutes, regulations or ordinances. • You attest that you are not a resident of, or not make your submission from, a country or region under U.S. sanctions (see the OFAC List).
• You attest you are at least 18 years old. • You agree to keep all details of any discovered vulnerabilities confidential unless written permission is granted by Uniti. • You agree that any Uniti information that you may encounter, view, acquire, or access, is owned by Uniti or its customers, clients, or third-party providers. You have no rights, title, or ownership in any such information. • You agree that your research will be conducted for testing and research purposes only, and that you will not attempt to gain access to customer or user accounts or confidential information and will only interact with accounts you own. • You consent to your information being stored and transferred to the United States and acknowledge you have read and accepted the terms of this policy. • You acknowledge that you have read and agreed to the Hacker1 Disclosure Philosophy https://www.hackerone.com/disclosure-guidelines.

By responsibly submitting your findings to Uniti pursuant to this Program, Uniti agrees not to pursue legal action against you. However, in the event of any noncompliance with this Program, we reserve all legal rights against you, including the right to pursue criminal and civil remedies for the noncompliance. Further, to the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products or services of any non-Uniti entity, or personal data of Uniti employees, customers, suppliers or any other third party, such non-Uniti entity or person may independently determine whether to pursue legal action or remedies related to such activities.

Uniti may amend the terms of this Program and maintains the right to terminate this Program at any time with or without notice.