Unqork is in the business of developing secure no-code solutions. We appreciate any effort done by security researchers to discover and responsibly disclose potential vulnerabilities. Depending on the severity of the issue, we may elect to provide a reward or add your name and social media contact to our hall of fame.
If you would like to report a vulnerability in one of our products or services, or have security concerns regarding Unqork software or systems, please email psirt@unqork.com.
To support a timely and effective response to your report, please include the following:
- Summary of the finding
- Steps to reproduce
- Proof of Concept (POC)
- Impact of the finding
- Nuclei Templates
Unqork takes all vulnerability reports very seriously and aims to rapidly respond and verify the vulnerability before taking the necessary steps to address it. After an initial reply to your disclosure, which should be directly after receiving it, we will update you periodically with our response and remediation status.
Scope
Vulnerabilities associated with the below domains or the Unqork No Code Platform is within scope.
- *.unqork.com
- marketplace.unqork.io
Download Burp Configuration File (2 Domains) – Last Updated: 07/13/2022
Below are the list of vulnerabilities that generally qualify to receive a reward or hall of fame:
- Server-side Remote Code Execution (RCE)
- NoSQL Injection
- Stored Cross Site Scripting (XSS)
- Authentication Bypass
- Unintentional data access between environments
- Designer and Express RBAC vulnerabilities
- Server-Side Misconfiguration
Out of Scope
Testing should not be conducted against any of our customer environments or against our employees. If there is any evidence of malicious activity, we reserve the right to reject any recognition or rewards associated with the report. Do not perform automated scans against the environments in scope, any findings from automated scanners are not in scope.
Vulnerabilities associated with the below domains or the Unqork No Code Platform is not within scope.
- www.unqork.com
Security issues related to Unqork-owned domains/properties that we have already assessed for risk and will address in future are generally out of scope and include the following:
- HTTPS configuration such as insecure TLS algorithms
- HTTP headers such as Content Security Policy, and clickjacking/XSS protection
- DNS records related to email (SPF, DKIM, DMARC) and certificate issuance (CAA)
- Commonly reported issues from automated scanners
- Malicious code introduced by designers to attack express users
- Self-XSS
- Reflected inputs with no impact to the end user or server
- Denial of Service (DOS) and Distributed Denial of Service (DDOS)
- Spamming, Flooding, Rate Limiting
- Social Engineering against Unqork employees or contractors
- Username/e-mail enumeration
PGP Public Key
It is highly recommended to use Unqork’s PGP key to send reports to us. Below is our public key:
BEGIN PGP PUBLIC KEY BLOCK
xsFNBGLYNsUBEADeRaQQJR0H6Zyjm3MMSoNX5ZsbjR38kVQ0wJINVk3a13b6HQ+m6NWVS2HzbR5GtsWZIiy4JjhmD7e+hqMhSr10hEX9GKhO46HO/uuy943Ao+E4529CpRe/POKU1Tj5htgauCfq2eMqswRHej20wCF/ctRjA+inSFh5MgmTUOLtsJZt/PjU5HSwDI1YyqJnwhl04IgwUQe+5jA0an0W3cFlh6J+p8Q8D55vEIhGHnGRh/Rkr8Zue21yTAvhC7TqhOCmfUaXcUQse5/rsYGsEC+LmPantYWoel8ca3W9p/gPcOI60roU7fXtiHWV8h++lzZMwX8wK45+d817IWKsl5ZuyIRAnfvu4ph66LoAEXGrU6sv/sW8LsCdkizhvi9kypPciaQ3K+KAhIhg7gkKM0EdA6lvph2YmXDaKpMzJgk6RSZRHObFBy9lg7p7T7UhhIvAIhAG/mJ4IYflpLrwuGivinKO9aN5WBTXUamPG0aFrUvEN6jE7sXyVW6a+TWycJe3Nb5yUqnmT+QOoYX4ftKtpneU97opwo1YinvNC3LmC51xEu9TuUXnMntmFaLoNV1l9AWXVkq3z96bVjFlfuBWPYxTva3NXvIy+CxNLzw8+bnvKzvqREGlDtWsSHoGUnpIAs0SNgmf7L/Rhx/XmMu6ONa2YYDjHpNarljRBNEIJwARAQABzSNQcm9kdWN0IFNlY3VyaXR5IDxwc2lydEB1bnFvcmsuY29tPsLBigQQAQgAHQUCYtg2xQQLCQcIAxUICgQWAAIBAhkBAhsDAh4BACEJEB00CcQVQjGMFiEESdsg76MjLYHgSE/7HTQJxBVCMYzlQA//Q2jq1oNvxRsew52iX9RQE2uWiq1UQ1jFkzp04fy84UeGIfTYRKckKiEfkJSNi6UhKTNdNi+EyOIuKEPaK71cwC3KjTumfR+67XNtTTcers7armYkY03FDRMAFiAnG6gJs4Gaf5E6t/wvEmqd7eSP6v0lNi9J9wihK2ZBcJSVHf+07nWG3dyS8wBNxQVfxtKNTE2S7OsjV9aE/aJz+f0XUSPpBvozeQgI/GiOz0zaarke2TYPMOtZsI+pGxFIRb5nXg1SGdTQIoRULzTzQAe8I2uB3tXC3R0lSOI84T9857TDMsGYH43PhPzAnY9L2dKM1GYXUobvoeAHCWgGHsDBR2LUnJNeE5RaeyTyHuNCjpMhBoHtK5Tv+xGNuAg28iDVRqfdqp/CtfQ5HDFZMfGgXjbioh6pLwbtS83j1IiBT6zTzAXTMabwIIVYkKNV8rZ71FSrFfXMxZhMw4+Fj/EcY10bQwDWzNPH8LJej00K336fY/oXmpdiWf8gqU8Jn4PvRhdzKqdT6JWLZQFo6hUUtSF65WAHLaWZXpqnwvteX5LCxe31B6P1ySMdfjZIvksqVjRRkNRGy5fMcH0WEqVJ3WOK1G2KkFyDz+ifY5GbbAxCtH6kDNPxpMiyQAA+pRRvIwi3HZFE8/dv6WN6s65S719U9x2iES265RtDWuDa2NbOwU0EYtg2xQEQALw3p70XcpSMvijMeI7ZtIITJzWEKwA5t4LVUWOrzum7mYFJNG4wlmsnIKTd2087x9ANJTwdmzhHjyBnHmmQEwEDiyg5txXgo7cZiikV/0AwvdYqwfnw+o73gd9A1ak6aXhLqXDdCpaqyJE4akqXUuRqO2KxE8rG/6uaoIKnr8WvvMAFBPrRUtilXSfJ19kwTi6vwB9TE65o1yfc4vzqXqDs6V1bH3HQ45mX/KV4lXf8sHY3LQdnsV2TefSQp+vGVgkYmZwC95dtWIMX6R+JfIHEypgiOmfJqy3JjuMn9PultEbpwzPgSpo5ogPah+YNmT12tN1COkj4hz3O67gi3LHIvm7ca2XUV7MsqGAIgi/DncZNdn6xnAGBgHmkJrhJq3IETELWpCGDsBzdpYFzlTM/IfEjaLYO1/uTgR6R8zVBZTDWcaLXKZ0vxsOUZUi/eoIBVtF4BL1+CALIwvLUs7tXNhRB9+Fi4HhzB/yxcW2et90djbK0YqTmU4CYNzKXIWRzSe5JrRj/QhlIr6b3g823Lwc/fZjNqBks4JLVYoxhGI4v+Q8GZ1zKfuXJGJvIvHyUSh6y8wqeD2UjqSvwph8doz3/YuF7faHJYPfng8ZD7ZIil8xS6w2A9YG+fBXZlqHvQAi+vcG0AKRkB0LY3n4O6kWHvFbcVvHFGqVzwX1ABEBAAHCwXYEGAEIAAkFAmLYNsUCGwwAIQkQHTQJxBVCMYwWIQRJ2yDvoyMtgeBIT/sdNAnEFUIxjOy/D/4nM34OuwFmDv3GRq5VBAAq8UEoBKvdPpVsw27IMFqMQxCkBjNH5ZasYqc+4evktqjdM/1Li2DS8p/ZUMRCMWRcoX1/CzAaGNJMnEZmCiHu84aTwnNLxve4ehGhcXMlckRx//tt6HURzq9f/i6oMZLc6xIAMQb9mvMq9aG1clyGkHW+SR1o9l3b7H37+a4eXnZa7OaoayBLYIGV8kBooZUREQAmcjAHB8bM3jJ4seKYgLaEqf5BpC0N7oSrce4UC0SC0Gjg7WUbRXVRWmBipV4xsA6ukgS0kXofXSovPSmt/z4Spp2rmjLfzj4mHuRApu278tp4wVeh3BnHjwCWlCp9SemLodHw1Za0LOmRWhsV4dfp+kwO/fuDerwsX3LhaQ5JOSXIPxmTVjeub1weEJ6Cq2AANfP4tGlWkCQw2d+j+lHry6F92EQ2suAmi2zI0ayxP8v9jF44D1lziDnK8JvKvVBHtuN1Xk3vV5iGaLEAT08c5U+e3IY4tI/w5te+bNOjoyPapfQrYlMkXe2ZWYh0OOqrry1ebSR0bdNv3f3HgxjYq0JY5nhmuVX3la/m9lXNpZmjRlNOInhYN9qZWoSSVpQqAaSzF/bnXU5qU/l27Zv9quq8bWkfP2GWo2sjqwJorCrjIW/RD950hcZzPwJ1tL/rQkwd9GNYEx8YzRO0wg===FiVd
Disclosure Policy
- We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries on sanctions lists.
- This is a discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.
- Your testing must not violate any law, or disrupt or compromise any data that is not your own. Vulnerability reports must be kept strictly confidential between yourself and Unqork.
- This program is not eligible for employees of Unqork.
- All testing should be done with your own account.
- We do not allow disclosure of the vulnerability.
- Do not use the vulnerability to exploit more than necessary to demonstrate the vulnerability.
Unqorker’s Hall of Fame
Thank you to all of our security researchers below for responsibly disclosing vulnerabilities with us:
- Sagar Yadav
- Seyedreza Zaferanjelodar
- Moshe Mizrahi
Want to learn how Unqork can accelerate your enterprise app development with zero code?