Unqork is in the business of developing secure no-code solutions. We appreciate any effort done by security researchers to discover and responsibly disclose potential vulnerabilities. Depending on the severity of the issue, we may elect to provide a reward or add your name and social media contact to our hall of fame.
If you would like to report a vulnerability in one of our products or services, or have security concerns regarding Unqork software or systems, please email firstname.lastname@example.org.
To support a timely and effective response to your report, please include the following:
Summary of the finding
Steps to reproduce
Proof of Concept (POC)
Impact of the finding
Unqork takes all vulnerability reports very seriously and aims to rapidly respond and verify the vulnerability before taking the necessary steps to address it. After an initial reply to your disclosure, which should be directly after receiving it, we will update you periodically with our response and remediation status.
Vulnerabilities associated with the below domains or the Unqork No Code Platform is within scope.
Download Burp Configuration File (2 Domains) - Last Updated: 07/13/2022
Below are the list of vulnerabilities that generally qualify to receive a reward or hall of fame:
Server-side Remote Code Execution (RCE)
Stored Cross Site Scripting (XSS)
Unintentional data access between environments
Designer and Express RBAC vulnerabilities
Testing should not be conducted against any of our customer environments or against our employees. If there is any evidence of malicious activity, we reserve the right to reject any recognition or rewards associated with the report. Do not perform automated scans against the environments in scope, any findings from automated scanners are not in scope.
Vulnerabilities associated with the below domains or the Unqork No Code Platform is not within scope.
Security issues related to Unqork-owned domains/properties that we have already assessed for risk and will address in future are generally out of scope and include the following:
HTTPS configuration such as insecure TLS algorithms
HTTP headers such as Content Security Policy, and clickjacking/XSS protection
DNS records related to email (SPF, DKIM, DMARC) and certificate issuance (CAA)
Commonly reported issues from automated scanners
Malicious code introduced by designers to attack express users
Reflected inputs with no impact to the end user or server
Denial of Service (DOS) and Distributed Denial of Service (DDOS)
Spamming, Flooding, Rate Limiting
Social Engineering against Unqork employees or contractors
It is highly recommended to use Unqork's PGP key to send reports to us. Below is our public key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----
We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries on sanctions lists.
This is a discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.
Your testing must not violate any law, or disrupt or compromise any data that is not your own. Vulnerability reports must be kept strictly confidential between yourself and Unqork.
This program is not eligible for employees of Unqork.
All testing should be done with your own account.
We do not allow disclosure of the vulnerability.
Do not use the vulnerability to exploit more than necessary to demonstrate the vulnerability.
Thank you to all of our security researchers below for responsibly disclosing vulnerabilities with us: