1. Introduction
Security is fundamental to how we operate. We welcome reports from security researchers, ethical hackers, and the broader community who help us identify and address potential vulnerabilities. This policy outlines how to report security issues responsibly and what you can expect from us.
2. Scope
This policy applies to vulnerabilities discovered in the unofax web application at unofax.com and its associated APIs. The following are out of scope:
• Third-party services (e.g. Square payment processing, Google Analytics)
• Social engineering or phishing attacks against unofax employees or users
• Denial of service (DoS/DDoS) attacks
• Physical security issues
• Vulnerabilities in software or infrastructure not owned by unofax
3. How to Report
If you discover a potential security vulnerability, please report it to us by emailing support@unofax.com. Include as much detail as possible:
• A description of the vulnerability and its potential impact
• Steps to reproduce the issue
• Any supporting evidence (screenshots, proof-of-concept code, logs)
• Your name and contact information (optional, but helpful for follow-up)
4. Our Commitments
When you report a vulnerability in good faith and in accordance with this policy, we commit to:
• Acknowledging receipt of your report within 3 business days
• Providing an initial assessment within 10 business days
• Keeping you informed of our progress toward resolving the issue
• Not pursuing legal action against you for your research activities conducted in compliance with this policy
• Crediting you (if desired) when we publicly address the vulnerability
5. Guidelines for Researchers
To ensure your research is conducted responsibly, please adhere to the following guidelines:
• Do not access, modify, or delete data belonging to other users
• Do not disrupt or degrade the availability of unofax services
• Do not publicly disclose the vulnerability before we have had a reasonable opportunity to address it
• Act in good faith and avoid any actions that could harm unofax or its users
• Only test against accounts you own or have explicit permission to test
6. Safe Harbour
We consider security research conducted in accordance with this policy to be authorised and will not pursue legal action against researchers who comply with these guidelines. If legal action is initiated by a third party against you for activities conducted in compliance with this policy, we will take reasonable steps to make it known that your actions were authorised.
7. Exclusions
The following types of findings are generally not eligible for consideration under this policy:
• Missing security headers that do not lead to a demonstrable exploit
• Clickjacking on pages with no sensitive actions
• Self-XSS (cross-site scripting that only affects the user's own session)
• Missing rate limiting without demonstration of abuse potential
• Vulnerabilities requiring outdated browsers or plugins
• Issues discovered through automated scanning without manual verification
8. Contact
For all reports and enquiries, please email support@unofax.com.