Unison Software Inc. Vulnerability Disclosure Policy (VDP)
This policy establishes guidelines for the responsible disclosure of security vulnerabilities affecting Unison's information systems and commercial off-the-shelf products.
Purpose
This policy establishes guidelines for the responsible disclosure of security vulnerabilities affecting Unison's information systems and commercial off-the-shelf products. It enables ethical security researchers to report vulnerabilities in a safe, responsible, and authorized manner. The policy supports Unison Software Inc.'s compliance with:
- NIST SP 800-53 Rev. 5 (Control PM-30, SI-12, SI-14)
- FedRAMP Continuous Monitoring (ConMon) requirements
- CMMC 2.0 Practices (AM.3.036, RM.3.144)
Scope
The following Unison Software Inc.-owned and managed assets are in scope:
- Contracting SaaS
- FedConnect
- [Other public-facing systems as listed in the current scope register]
Note: Vulnerabilities in systems operated by third parties or vendors must be reported to them directly.
Rules of Engagement
Researchers must:
- act in good faith and notify Unison promptly upon discovery,
- only access data belonging to their accounts,
- avoid modifying, deleting, or exfiltrating data,
- never exploit or degrade service availability (e.g., DoS),
- avoid phishing, social engineering, or physical access attempts,
- not use automated scanning tools.
Security research conducted in accordance with this policy is authorized and protected under Safe Harbor provisions based on HackerOne and U.S. Department of Justice guidelines.
Exclusions / Out-of-Scope
The following are generally not considered in scope unless part of a chained exploit:
- Clickjacking without sensitive actions
- Missing HTTP-only or Secure cookie flags
- CSRF on non-sensitive forms
- Publicly known vulnerabilities ("Zero-Days") with a patch < 30 days old
- Rate limiting or brute force issues on non-authentication endpoints
- Version disclosures or error banners
- Social engineering and physical attacks
- Automated scanner results without demonstrated exploitability
A comprehensive and up-to-date exclusion list is maintained in the internal VDP register.
Reporting Process
To report a vulnerability, contact us via:
Please include:
- Target system URL (or versions of Unison software and the web server where the exploit was discovered),
- a detailed description of the vulnerability,
- step-by-step reproduction instructions,
- screenshots, proof-of-concept code, or videos, if applicable.
One vulnerability per submission unless part of a chained exploit. We will acknowledge your submission within 3 business days.
Researcher Commitment
- Refrain from public disclosure without mutual agreement.
- Follow Coordinated Vulnerability Disclosure (CVD) practices.
- Stay within scope and comply with applicable laws.
Unison Security Team Commitments
We will:
- Promptly acknowledge receipt of valid reports.
- Provide expected remediation timelines.
- Communicate and collaborate on severity and impact.
- Notify you upon resolution.
- Publicly recognize researchers (with consent) who responsibly report high-impact issues.
Privacy Notice for Vulnerability Reporters
In accordance with the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and other applicable privacy laws (e.g., GDPR, Virginia CDPA):
Personal Information Collected: We may collect your name, email address, IP address, and any other information voluntarily provided in your submission.
Purpose of Use: This information will be used solely to:
- Validate and remediate reported vulnerabilities
- Communicate regarding your submission
- Fulfill compliance and audit requirements
Data Sharing and Retention:
- We do not sell or share your personal information for commercial purposes.
- We retain information only as long as necessary for the purpose of vulnerability management and compliance.
Your Rights: You may request access to, correction of, or deletion of your personal data by contacting privacy@unisonsoftware.com.