Vulnerability Disclosure Program

Unqork is in the business of developing secure no-code solutions. We appreciate any effort done by security researchers to discover and responsibly disclose potential vulnerabilities. Depending on the severity of the issue, we may elect to provide a reward or add your name and social media contact to our hall of fame.

If you would like to report a vulnerability in one of our products or services, or have security concerns regarding Unqork software or systems, please email psirt@unqork.com.

To support a timely and effective response to your report, please include the following:

  • Summary of the finding

  • Steps to reproduce

  • Proof of Concept (POC)

  • Impact of the finding

  • Nuclei Templates

Unqork takes all vulnerability reports very seriously and aims to rapidly respond and verify the vulnerability before taking the necessary steps to address it. After an initial reply to your disclosure, which should be directly after receiving it, we will update you periodically with our response and remediation status.

 

Scope

Vulnerabilities associated with the below domains or the Unqork No Code Platform is within scope.

  • *.unqork.com

  • marketplace.unqork.io

 

Download Burp Configuration File (2 Domains) - Last Updated: 07/13/2022

 

Below are the list of vulnerabilities that generally qualify to receive a reward or hall of fame:

  • Server-side Remote Code Execution (RCE)

  • NoSQL Injection

  • Stored Cross Site Scripting (XSS)

  • Authentication Bypass

  • Unintentional data access between environments

  • Designer and Express RBAC vulnerabilities

  • Server-Side Misconfiguration

 

Out of Scope

Testing should not be conducted against any of our customer environments or against our employees. If there is any evidence of malicious activity, we reserve the right to reject any recognition or rewards associated with the report. Do not perform automated scans against the environments in scope, any findings from automated scanners are not in scope.

 

Vulnerabilities associated with the below domains or the Unqork No Code Platform is not within scope.

 

Security issues related to Unqork-owned domains/properties that we have already assessed for risk and will address in future are generally out of scope and include the following:

  • HTTPS configuration such as insecure TLS algorithms

  • HTTP headers such as Content Security Policy, and clickjacking/XSS protection

  • DNS records related to email (SPF, DKIM, DMARC) and certificate issuance (CAA)

  • Commonly reported issues from automated scanners

  • Malicious code introduced by designers to attack express users

  • Self-XSS

  • Reflected inputs with no impact to the end user or server

  • Denial of Service (DOS) and Distributed Denial of Service (DDOS)

  • Spamming, Flooding, Rate Limiting

  • Social Engineering against Unqork employees or contractors

  • Username/e-mail enumeration

 

PGP Public Key

It is highly recommended to use Unqork's PGP key to send reports to us. Below is our public key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsFNBGLYNsUBEADeRaQQJR0H6Zyjm3MMSoNX5ZsbjR38kVQ0wJINVk3a13b6
HQ+m6NWVS2HzbR5GtsWZIiy4JjhmD7e+hqMhSr10hEX9GKhO46HO/uuy943A
o+E4529CpRe/POKU1Tj5htgauCfq2eMqswRHej20wCF/ctRjA+inSFh5MgmT
UOLtsJZt/PjU5HSwDI1YyqJnwhl04IgwUQe+5jA0an0W3cFlh6J+p8Q8D55v
EIhGHnGRh/Rkr8Zue21yTAvhC7TqhOCmfUaXcUQse5/rsYGsEC+LmPantYWo
el8ca3W9p/gPcOI60roU7fXtiHWV8h++lzZMwX8wK45+d817IWKsl5ZuyIRA
nfvu4ph66LoAEXGrU6sv/sW8LsCdkizhvi9kypPciaQ3K+KAhIhg7gkKM0Ed
A6lvph2YmXDaKpMzJgk6RSZRHObFBy9lg7p7T7UhhIvAIhAG/mJ4IYflpLrw
uGivinKO9aN5WBTXUamPG0aFrUvEN6jE7sXyVW6a+TWycJe3Nb5yUqnmT+QO
oYX4ftKtpneU97opwo1YinvNC3LmC51xEu9TuUXnMntmFaLoNV1l9AWXVkq3
z96bVjFlfuBWPYxTva3NXvIy+CxNLzw8+bnvKzvqREGlDtWsSHoGUnpIAs0S
Ngmf7L/Rhx/XmMu6ONa2YYDjHpNarljRBNEIJwARAQABzSNQcm9kdWN0IFNl
Y3VyaXR5IDxwc2lydEB1bnFvcmsuY29tPsLBigQQAQgAHQUCYtg2xQQLCQcI
AxUICgQWAAIBAhkBAhsDAh4BACEJEB00CcQVQjGMFiEESdsg76MjLYHgSE/7
HTQJxBVCMYzlQA//Q2jq1oNvxRsew52iX9RQE2uWiq1UQ1jFkzp04fy84UeG
IfTYRKckKiEfkJSNi6UhKTNdNi+EyOIuKEPaK71cwC3KjTumfR+67XNtTTce
rs7armYkY03FDRMAFiAnG6gJs4Gaf5E6t/wvEmqd7eSP6v0lNi9J9wihK2ZB
cJSVHf+07nWG3dyS8wBNxQVfxtKNTE2S7OsjV9aE/aJz+f0XUSPpBvozeQgI
/GiOz0zaarke2TYPMOtZsI+pGxFIRb5nXg1SGdTQIoRULzTzQAe8I2uB3tXC
3R0lSOI84T9857TDMsGYH43PhPzAnY9L2dKM1GYXUobvoeAHCWgGHsDBR2LU
nJNeE5RaeyTyHuNCjpMhBoHtK5Tv+xGNuAg28iDVRqfdqp/CtfQ5HDFZMfGg
Xjbioh6pLwbtS83j1IiBT6zTzAXTMabwIIVYkKNV8rZ71FSrFfXMxZhMw4+F
j/EcY10bQwDWzNPH8LJej00K336fY/oXmpdiWf8gqU8Jn4PvRhdzKqdT6JWL
ZQFo6hUUtSF65WAHLaWZXpqnwvteX5LCxe31B6P1ySMdfjZIvksqVjRRkNRG
y5fMcH0WEqVJ3WOK1G2KkFyDz+ifY5GbbAxCtH6kDNPxpMiyQAA+pRRvIwi3
HZFE8/dv6WN6s65S719U9x2iES265RtDWuDa2NbOwU0EYtg2xQEQALw3p70X
cpSMvijMeI7ZtIITJzWEKwA5t4LVUWOrzum7mYFJNG4wlmsnIKTd2087x9AN
JTwdmzhHjyBnHmmQEwEDiyg5txXgo7cZiikV/0AwvdYqwfnw+o73gd9A1ak6
aXhLqXDdCpaqyJE4akqXUuRqO2KxE8rG/6uaoIKnr8WvvMAFBPrRUtilXSfJ
19kqwTi6vwB9TE65o1yfc4vzqXqDs6V1bH3HQ45mX/KV4lXf8sHY3LQdnsV2
TefSQp+vGVgkYmZwC95dtWIMX6R+JfIHEypgiOmfJqy3JjuMn9PultEbpwzP
gSpo5ogPah+YNmT12tN1COkj4hz3O67gi3LHIvm7ca2XUV7MsqGAIgi/DncZ
Ndn6xnAGBgHmkJrhJq3IETELWpCGDsBzdpYFzlTM/IfEjaLYO1/uTgR6R8zV
BZTDWcaLXKZ0vxsOUZUi/eoIBVtF4BL1+CALIwvLUs7tXNhRB9+Fi4HhzB/y
xcW2et90djbK0YqTmU4CYNzKXIWRzSe5JrRj/QhlIr6b3g823Lwc/fZjNqBk
s4JLVYoxhGI4v+Q8GZ1zKfuXJGJvIvHyUSh6y8wqeD2UjqSvwph8doz3/YuF
7faHJYPfng8ZD7ZIil8xS6w2A9YG+fBXZlqHvQAi+vcG0AKRkB0LY3n4O6kW
HvFbcVvHFGqVzwX1ABEBAAHCwXYEGAEIAAkFAmLYNsUCGwwAIQkQHTQJxBVC
MYwWIQRJ2yDvoyMtgeBIT/sdNAnEFUIxjOy/D/4nM34OuwFmDv3GRq5VBAAq
8UEoBKvdPpVsw27IMFqMQxCkBjNH5ZasYqc+4evktqjdM/1Li2DS8p/ZUMRC
MWRcoX1/CzAaGNJMnEZmCiHu84aTwnNLxve4ehGhcXMlckRx//tt6HURzq9f
/i6oMZLc6xIAMQb9mvMq9aG1clyGkHW+SR1o9l3b7H37+a4eXnZa7OaoayBL
YIGV8kBooZUREQAmcjAHB8bM3jJ4seKYgLaEqf5BpC0N7oSrce4UC0SC0Gjg
7WUbRXVRWmBipV4xsA6ukgS0kXofXSovPSmt/z4Spp2rmjLfzj4mHuRApu27
8tp4wVeh3BnHjwCWlCp9SemLodHw1Za0LOmRWhsV4dfp+kwO/fuDerwsX3Lh
aQ5JOSXIPxmTVjeub1weEJ6Cq2AANfP4tGlWkCQw2d+j+lHry6F92EQ2suAm
i2zI0ayxP8v9jF44D1lziDnK8JvKvVBHtuN1Xk3vV5iGaLEAT08c5U+e3IY4
tI/w5te+bNOjoyPapfQrYlMkXe2ZWYh0OOqrry1ebSR0bdNv3f3HgxjYq0JY
5nhmuVX3la/m9lXNpZmjRlNOInhYN9qZWoSSVpQqAaSzF/bnXU5qU/l27Zv9
quq8bWkfP2GWo2sjqwJorCrjIW/RD950hcZzPwJ1tL/rQkwd9GNYEx8YzRO0
wg==
=FiVd
-----END PGP PUBLIC KEY BLOCK-----

 

Disclosure Policy

  • We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries on sanctions lists.

  • This is a discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.

  • Your testing must not violate any law, or disrupt or compromise any data that is not your own. Vulnerability reports must be kept strictly confidential between yourself and Unqork.

  • This program is not eligible for employees of Unqork.

  • All testing should be done with your own account.

  • We do not allow disclosure of the vulnerability.

  • Do not use the vulnerability to exploit more than necessary to demonstrate the vulnerability.

 

Unqorker's Hall of Fame

Thank you to all of our security researchers below for responsibly disclosing vulnerabilities with us: