At Ubiquiti we take security very seriously, and embrace the security research community. We provide products and services that millions around the world use every day, and understand privacy and security is very important to our customers.
To honor the Ubiquiti advocates that provide research and contributions to help improve security for our products, we provide a Security Reward Program. This program allows Ubiquiti to continuously improve the security of our products, while publicly recognizing the security enthusiasts submitting valid issues.
If you believe you have found a vulnerability in any of Ubiquiti's products or services, let us know as soon as possible, and we'll do our best to get the issues addressed as quickly as possible.
This Program will begin on November 1, 2014 and run until we publish that the Program has ended.
The Security Reward Program encompasses all of Ubiquiti's products. Including, but not limited to:
We consider a Vulnerability to be an error, flaw, mistake, failure or fault in a computer program or system that impacts the security of a device, system, network or data. In general, any Vulnerability may be considered for this Program. Please see exceptions below.
To submit a vulnerability or bug, please use our portal at https://hackerone.com/ubnt or send an email to firstname.lastname@example.org. Please include as many details as possible, in a clear and concise manner. If desired, you can use our PGP Key here.
Rewards typically range anywhere from US$100 - $25,000 depending on the application and the risk, complexity, impact and overall severity of the Vulnerability. Some examples include:
Our reward panel will review each Vulnerability submission for eligibility and final reward consideration. Final reward amounts are at the sole and final discretion of Ubiquiti's reward panel. In some instances, our reward panel may choose higher rewards for unusually major, clever or complex Vulnerability submissions.
All reward payments are subject to compliance with local laws, rules and regulations. Before you receive your reward, we may require that you sign an affidavit of eligibility, a questionnaire, and a release of liability. You will be solely responsible for all applicable taxes relating to any reward under this Program.
Ubiquiti may publish a leaderboard of Vulnerability reporters based on previous security vulnerability and bug reports. These previous reporters may receive special access to Ubiquiti engineers. If you wish to remain anonymous to the public, we will honor your request.
Individuals 14 years of age or older may submit security vulnerabilities or bugs to Ubiquiti under this Program. If you are at least 14 years old but are considered a minor in your place of residence, you must ask your parents' or legal guardian's permission prior to participating in this Program. You cannot reside in Cuba, Iran, North Korea, Sudan or Syria or countries subject to embargo regulations. There may be other laws or regulations restricting your ability to participate in this Program.
You must be participating in this Program in your own individual capacity or you work for an organization that permits you to participate in this Program. You may not participate in violation of your employer's policies or your contractual obligations. We disclaim any liability for disputes arising between you and your employer or any other person or entity relating to this Program. Employees and contractors of Ubiquiti, and their respective relatives, are prohibited from participating in this Program.
Please provide us reasonable time to research the submitted issues and during that time do not make information about the vulnerability public or further known in order to protect the security and privacy of our users, and to preserve your eligibility.
This program is void where it is prohibited or restricted. Ubiquiti is not responsible for incomplete, illegible, inaccurate, undelivered, delayed or misdirected submissions. Ubiquiti reserves the right, in its sole discretion, to modify or terminate this Program such as in the event of any act, occurrence or reason that it believes would corrupt the integrity, administration or fairness of this Program.
By participating in this Program, you agree to release, discharge and hold harmless Ubiquiti, its respective parents, affiliates, subsidiaries, advertising and promotion agencies, and other individuals engaged in the development or execution of this Program, from any liability, claims, losses and damages arising out of or relating to their participation in this Program, or the acceptance, use, misuse or possession of any reward received in this Program.
This Program is sponsored by Ubiquiti Networks, Inc., located at 2580 Orchard Parkway, San Jose, CA 95131, USA, and is hosted in the United States, and submissions are collected on computers in the United States. This Program will be governed by the laws of the State of California, and you consent to the exclusive jurisdiction and venue of the courts located in Santa Clara County, California for any disputes arising from this Program.