At Unleash live, we take the security of our systems and our users' data very seriously. We appreciate the role of security researchers and the community in helping us maintain a secure environment. This policy outlines how you can report vulnerabilities to us and what you can expect in return.
By submitting a vulnerability report to Unleash live, you agree to the terms of this policy.
This policy applies to any security vulnerability you discover in any system or service operated by Unleash live. We encourage you to report any security issue you find, regardless of the specific system or service.
If you believe you have found a security vulnerability in an Unleash live system, please report it to us immediately by emailing us at:
admin@unleashlive.com
Please do not disclose the vulnerability publicly before we have had an opportunity to address it.
Please do not open public GitHub issues for security reports. Vulnerability reports should only be sent to the email address provided above.
To help us understand and resolve the issue quickly, please include as much detail as possible in your report. This should ideally include:
- A clear and concise description of the vulnerability.
- The specific system, service, or URL affected.
- Detailed steps on how to reproduce the vulnerability.
- Proof-of-Concept (PoC) code, screenshots or a link to a video demonstrating the vulnerability.
- Information about the potential impact of the vulnerability.
- Any technical information that could help us understand and reproduce the issue (e.g., browser type, operating system, relevant software versions).
- Your name or handle if you wish to be credited.
If you require a test account or access to a staging environment for your testing, please mention this in your initial contact email, and we will do our best to facilitate this where appropriate.
When conducting vulnerability research and reporting in accordance with this policy, Unleash live commits to:
- Not pursue or support any legal action against you for accidental or good faith violations of this policy.
- Not pursue or support any legal action against you for accessing our systems as authorized by this policy.
- Work with you to understand and resolve the issue quickly.
- Acknowledge your contribution to improving our security if you are the first to report a unique vulnerability and your report leads to a code or configuration change.
This Safe Harbor applies only to your security research activities conducted in good faith and in compliance with this policy.
The following activities are considered out of scope and are not permitted under this policy:
- Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks.
- Accessing or attempting to access data or accounts that do not belong to you.
- Social engineering (e.g., phishing, vishing, baiting) of Unleash live employees or users.
- Any actions that could disrupt or negatively impact our services or users.
- Exfiltrating data beyond what is necessary to prove the existence of a vulnerability.
We are committed to timely and transparent communication with security researchers. After receiving your report, you can expect the following:
- We will acknowledge receipt of your report within 48 hours.
- We will provide an initial response or status update within 7 days.
- We will keep you informed of our progress in resolving the vulnerability.
- Once the vulnerability is resolved, we will notify you and, with your permission, publicly acknowledge your contribution (if applicable).
Unleash live offers monetary bounties for eligible vulnerabilities reported through this policy, based on their severity. Bounty amounts are awarded at the discretion of Unleash live. All bounty amounts listed are in Australian Dollars (AUD).
Here is an outline of our bounty levels:
-
Severity: Critical
- Bounty: $500
- Description: Immediate action is required. The issue allows direct access to sensitive data and/or the system, and often to the complete takeover of the attacked application/system. No special user rights, user interaction, or other additional conditions are required to exploit the vulnerability. There are publicly available exploits and/or exploiting the vulnerability is not complex.
-
Severity: High
- Bounty: $250
- Description: High risk of unauthorized access to sensitive data, user accounts, and disturbance of application/system availability. Additional conditions exist that must occur for the attack to succeed. As with the critical level, there are publicly available exploits and/or exploiting the vulnerability is not complex.
-
Severity: Medium
- Bounty: $125
- Description: Medium risk of unauthorized access to sensitive data, user accounts, and disturbance of application/system availability or high risk of limited attack. Additional conditions exist that must occur for the attack to succeed.
-
Severity: Low
- Bounty: $50
- Description: Low risk of an attack, resulting in unauthorized access to non-sensitive resources or information. Alternatively, it introduces a risk only when chained with other vulnerabilities.
-
Severity: Info
- Bounty: $10
- Description: A weakness, itself not leading to a successful attack but might enable it (e.g., lack of additional mitigations). Indicates good security practices to follow.
Bounty Eligibility and Payment:
- Bounties are typically paid via PayPal or Wise.
- Unleash live is not responsible for any taxes or fees associated with receiving a bounty payment; researchers are responsible for their own tax obligations.
- Eligibility for bounties is determined at the discretion of Unleash live. Generally, you must be the first person to report a specific, unique vulnerability that is within scope and leads to a code or configuration change. Employees and contractors of Unleash live are not eligible for bounties.
- Unleash live reserves the right to change or terminate the bounty program at any time without prior notice.
By participating in this vulnerability disclosure program, you agree to comply with all applicable laws.
This policy does not create any employment, contractor, or other legal relationship between you and Unleash live.
Unleash live reserves the right to modify this policy at any time.
Thank you for helping to keep Unleash live secure!