Security Rewards Program

Introduction

At Ubiquiti we take security very seriously, and embrace the security research community. We provide products and services that millions around the world use every day, and understand privacy and security is very important to our customers.

Reward Program

To honor the Ubiquiti advocates that provide research and contributions to help improve security for our products, we provide a Security Reward Program. This program allows Ubiquiti to continuously improve the security of our products, while publicly recognizing the security enthusiasts submitting valid issues.

If you believe you have found a vulnerability in any of Ubiquiti's products or services, let us know as soon as possible, and we'll do our best to get the issues addressed as quickly as possible.

This Program will begin on November 1, 2014 and run until we publish that the Program has ended.

Program Scope

The Security Reward Program encompasses all of Ubiquiti's products. Including, but not limited to:

Web Products
  • *.ui.com -- any web applications under ui.com domain (Store, Community, WWW, SSO Account, etc)
  • goubiquiti.com -- Ubiquiti World Network
Platform Products
  • airMAX, UniFi, EdgeMAX, airVision and airFiber embedded devices
  • Distributed Software Platforms -- Any controller software: UniFi, airVision, airControl

We consider a Vulnerability to be an error, flaw, mistake, failure or fault in a computer program or system that impacts the security of a device, system, network or data. In general, any Vulnerability may be considered for this Program. Please see exceptions below.

How to Claim

To submit a vulnerability or bug, please use our portal at https://hackerone.com/ui or send an email to security@ui.com. Please include as many details as possible, in a clear and concise manner. If desired, you can use our PGP/GPG Key here.

Rewards

Rewards typically range anywhere from US$100 - $25,000 depending on the application and the risk, complexity, impact and overall severity of the Vulnerability. Some examples include:

  • Remote code execution
  • Authentication bypass, unauthorized data access
  • SQL injection
  • XSS, XSRF, CSRF

Our reward panel will review each Vulnerability submission for eligibility and final reward consideration. Final reward amounts are at the sole and final discretion of Ubiquiti's reward panel. In some instances, our reward panel may choose higher rewards for unusually major, clever or complex Vulnerability submissions.

All reward payments are subject to compliance with local laws, rules and regulations. Before you receive your reward, we may require that you sign an affidavit of eligibility, a questionnaire, and a release of liability. You will be solely responsible for all applicable taxes relating to any reward under this Program.

Recognition

Ubiquiti may publish a leaderboard of Vulnerability reporters based on previous security vulnerability and bug reports. These previous reporters may receive special access to Ubiquiti engineers. If you wish to remain anonymous to the public, we will honor your request.

Exceptions & Rules

  • This Program is limited strictly to technical vulnerabilities of Ubiquiti products and services.
  • You may only exploit, investigate or target vulnerabilities in your own account and the Ubiquiti products you own.
  • Any activity that would disrupt, damage or adversely affect any third party data, account or equipment is not allowed.
  • The following are strictly prohibited:
    • Attacks on Ubiquiti infrastructure or facilities
    • DOS attacks are not allowed
    • Social Engineering attacks or phishing.
  • Eligible Vulnerabilities must be a new, previously unreported, vulnerability or bug in order to be eligible for reward or recognition.
  • Public disclosure or limited private release of any Vulnerability prior to its submission to Ubiquiti will disqualify such Vulnerability from consideration.
  • You must be the first to report a certain issue. In the event of duplicate Vulnerability submissions, only the earliest receipt submission will be considered.
  • You must not be the author of the code with the vulnerability or bug.
  • Any Vulnerability disclosed to any other party, including vulnerability brokers, will disqualify such Vulnerability from this Program.

Eligibility

Individuals 14 years of age or older may submit security vulnerabilities or bugs to Ubiquiti under this Program. If you are at least 14 years old but are considered a minor in your place of residence, you must ask your parents' or legal guardian's permission prior to participating in this Program. You cannot reside in Cuba, Iran, North Korea, Sudan or Syria or countries subject to embargo regulations. There may be other laws or regulations restricting your ability to participate in this Program.

You must be participating in this Program in your own individual capacity or you work for an organization that permits you to participate in this Program. You may not participate in violation of your employer's policies or your contractual obligations. We disclaim any liability for disputes arising between you and your employer or any other person or entity relating to this Program. Employees and contractors of Ubiquiti, and their respective relatives, are prohibited from participating in this Program.

Responsible Disclosure Period

Please provide us reasonable time to research the submitted issues and during that time do not make information about the vulnerability public or further known in order to protect the security and privacy of our users, and to preserve your eligibility.

Legal

This program is void where it is prohibited or restricted. Ubiquiti is not responsible for incomplete, illegible, inaccurate, undelivered, delayed or misdirected submissions. Ubiquiti reserves the right, in its sole discretion, to modify or terminate this Program such as in the event of any act, occurrence or reason that it believes would corrupt the integrity, administration or fairness of this Program.

By participating in this Program, you agree to release, discharge and hold harmless Ubiquiti, its respective parents, affiliates, subsidiaries, advertising and promotion agencies, and other individuals engaged in the development or execution of this Program, from any liability, claims, losses and damages arising out of or relating to their participation in this Program, or the acceptance, use, misuse or possession of any reward received in this Program.

This Program is sponsored by Ubiquiti Inc., located at 2580 Orchard Parkway, San Jose, CA 95131, USA, and is hosted in the United States, and submissions are collected on computers in the United States. This Program will be governed by the laws of the State of California, and you consent to the exclusive jurisdiction and venue of the courts located in Santa Clara County, California for any disputes arising from this Program.