Reward Structure

Important: All reward amounts are at UnoLock's sole discretion based on severity, impact, quality of report, and current budget availability. Rewards are not guaranteed and may vary within the stated ranges.

Platforms In Scope

• UnoLock Web App (PWA): https://app.unolock.com
• Windows Store App: Desktop application
• API Endpoints: Any API used by web/desktop applications

Out of Scope Platforms

• Third-party infrastructure (AWS, Stripe, Google Workspace)
• Mobile apps (not yet launched)
• Browser extensions (don't exist)

Tier 1: Critical Security Issues ($500 - $1,000 AUD)

Critical vulnerabilities that could compromise user vaults, encryption keys, authentication, or enable unauthorized access to sensitive data.

1. Authentication & Access Control

FIDO2/WebAuthn Implementation

• Bypass WebAuthn authentication to access any vault without valid passkey
• Forge passkey credentials or attestation to impersonate users
• Server-side WebAuthn verification bypass
• Cross-origin passkey binding attacks
• Relying party ID validation bypass
• Challenge-response replay attacks
• Passkey registration hijacking (register attacker's passkey on victim's vault)

PIN-Based Authentication

• Bypass randomized PIN keypad to access vault
• Brute force PIN without rate limiting
• Session fixation allowing PIN bypass
• Client-side PIN validation bypass

Multi-Key & Multi-Device Access

• Access vault from unauthorized device without proper authentication
• Cross-device session hijacking

2. Vault Encryption & Data Protection

Client-Side Encryption (AES-256-GCM)

• Bypass client-side encryption to access plaintext vault data
• Extract or derive vault encryption keys
• Downgrade AES-256-GCM to weaker encryption
• Access vault contents server-side (breaking zero-knowledge)

Post-Quantum Encryption

• Bypass ML-KEM-1024 post-quantum encryption
• Downgrade TLS with post-quantum session keys to weaker ciphers
• Man-in-the-middle attacks on post-quantum key exchange
• Exploit post-quantum cryptography implementation flaws

Key Management

• Bypass key derivation function (KDF) to recover keys
• Leak encryption keys through error messages or logs
• Cross-vault key contamination (keys from one vault used on another)

3. Vault Data Access & Authorization

Zero-Knowledge Architecture Bypass

• Server-side access to vault contents (breaking zero-knowledge promise)
• SQL injection leading to encrypted vault data access
• NoSQL injection leading to vault data access
• Access another user's vault data without authorization
• Bypass vault access controls to view/modify data you shouldn't access

Insecure Direct Object References (IDOR)

• Access other users' vaults by changing vault ID parameter
• Access other users' vault metadata (names, creation dates, sizes)
• Modify other users' vault contents through parameter manipulation
• Delete other users' vaults through IDOR

Data Leakage

• Vault contents leaked through error messages
• Vault contents leaked through logs or monitoring
• Metadata leakage revealing vault structure or contents

4. LegacyLink (Inheritance Feature)

Time-Based Transfer Security

• Bypass time-lock to access inheritance vault prematurely
• Modify LegacyLink beneficiary without authorization
• Delete or disable LegacyLink without owner's consent
• Access LegacyLink vault contents before trigger event
• Forge LegacyLink transfer notifications
• Bypass LegacyLink authentication for heir access

Vault Transfer Integrity

• Bypass LegacyLink access controls
• Execute LegacyLink transfer without proper authorization

5. Payment & Subscription Security

Payment Bypass

• Access premium features (Inheritance, Sovereign, HighRisk) without payment
• Bypass Stripe payment verification
• Bypass Bitcoin payment verification
• Extend subscription without renewal payment

Payment Isolation

• Link Stripe payment metadata to vault contents (breaking payment anonymity)
• Access vault data through Stripe integration
• Payment data leakage revealing user identity or vault usage

6. Cryptocurrency Features (Digital Paper Wallet, DPW VaultSign, SeedSafe)

Private Key Protection

• Extract BIP-39 seed phrases from SeedSafe storage
• Access cryptocurrency private keys stored in vault
• Bypass split-storage encryption for SeedSafe
• Leak private keys during DPW VaultSign transaction signing
• Extract keys during Digital Paper Wallet generation

Air-Gapped Security

• Bypass air-gapped transaction signing security (DPW VaultSign)
• Exfiltrate private keys during air-gapped operations
• Inject malicious transaction data into DPW VaultSign process

7. Emergency Features (Duress Decoy, LifeSafe)

Duress Decoy Vault

• Identify which vault is real vs decoy (defeating plausible deniability)
• Access real vault data when duress PIN is entered
• Bypass duress PIN to force access to real vault data

LifeSafe Emergency Wipe

• Prevent LifeSafe wipe from executing (data survives when it shouldn't)
• Recover data after LifeSafe wipe
• Trigger LifeSafe wipe without authorization (denial of service)
• Bypass LifeSafe safeword authentication

8. File Encryption & Storage (ULF Format)

File Encryption Security

• Bypass ULF file encryption to access plaintext files
• Extract encryption keys from ULF files
• Access ULF files without proper vault authentication
• Decrypt ULF files server-side

AWS S3 Storage Security

• Access AWS S3 buckets directly without authentication
• Bypass S3 server-side encryption (SSE)
• Access other users' files in S3 storage
• Enumerate or list files in S3 buckets

9. Session Management

Session Security

• Session hijacking after WebAuthn/PIN authentication
• Session fixation attacks
• Cross-site request forgery (CSRF) on vault operations
• Session token theft or prediction
• Concurrent session abuse (access vault from multiple locations)

Logout & Session Termination

• Access vault after logout
• Session persists after device removal
• Bypass inactivity timeout (LockOut Guard)

10. API Security

API Authentication

• Access API endpoints without valid authentication
• Bypass API rate limiting on sensitive operations
• API authentication token theft or replay
• Forge API requests to perform unauthorized actions

API Encryption (ECDHE_ECDSA, KEM, AES-256-GCM)

• Man-in-the-middle attacks on API communication
• Downgrade API encryption to weaker ciphers
• Bypass ECDHE_ECDSA/ KEM authentication

Tier 2: High Security Issues ($200 - $500 AUD)

High-impact vulnerabilities that could compromise individual accounts, leak limited data, or bypass important security controls.

11. VaultX (Anonymous File Transfer)

Transfer Security

• Access VaultX files without recipient authorization
• Identify sender/recipient of VaultX transfers (breaking anonymity)
• Inject malicious files into VaultX transfers
• Bypass VaultX encryption

12. Vault Messaging (Zero-Knowledge Messaging)

Message Security

• Access encrypted messages server-side (breaking zero-knowledge)
• Intercept or decrypt vault messages in transit
• Send messages as another user (message spoofing)
• Bypass message encryption
• Message metadata leakage (sender, recipient, timestamps)

One-Way vs Two-Way Messaging

• Bypass tier restrictions (send two-way messages on free/inheritance tier)
• Access message history without authorization

13. Spaces (Isolated Vault Segments)

Access Control

• Access Spaces without proper authorization
• Bypass granular access controls on Spaces
• Cross-Space data contamination or leakage
• Access Spaces from wrong subscription tier (free/inheritance accessing Sovereign feature)

14. LockOut Guard (Inactivity Recovery)

Recovery Security

• Bypass LockOut Guard to gain unauthorized vault access
• Abuse LockOut Guard to reset access for another user's vault
• Prevent legitimate user from using LockOut Guard recovery

15. Cross-Site Scripting (XSS)

Stored XSS

• Execute JavaScript in vault context to exfiltrate data
• XSS leading to session token theft
• XSS leading to vault data access

Reflected XSS

• Reflected XSS on vault pages
• XSS through URL parameters
• XSS through error messages

16. Cross-Site Request Forgery (CSRF)

• CSRF on vault creation
• CSRF on vault deletion
• CSRF on LegacyLink setup/modification
• CSRF on subscription changes
• CSRF on passkey registration/removal
• CSRF on Spaces access control changes

17. Data Integrity

SHA-256 Hash Verification Bypass

• Upload files that fail SHA-256 verification but are still stored
• Modify uploaded data without detection
• Bypass integrity checks on vault data

Perfect Forward Secrecy Bypass

• Decrypt old vault sessions using current keys
• Access deleted data that should be unrecoverable

18. Multi-Region Storage & Data Residency

• Concurrent access to vault data from multiple regions should not corrupt data.

Tier 3: Medium Security Issues ($100 - $200 AUD)

Medium-impact issues with limited security risk or requiring user interaction.

19. Business Logic Flaws

• Exceed storage limits (1MB free, 1GB inheritance, etc.)
• Access premium features on wrong tier
• Bypass tier restrictions on features (VaultX, Spaces, DPW on free tier)

20. Information Disclosure

• Enumerate valid vault IDs
• Determine if email address has vault
• Expose API endpoints or internal URLs

21. Clickjacking

• Clickjacking on vault creation page
• Clickjacking on LegacyLink setup
• Clickjacking on payment/subscription pages
• Clickjacking on vault deletion

22. Rate Limiting Bypass

• Brute force PIN codes without rate limiting
• Bypass rate limiting on authentication attempts
• Bypass rate limiting on API calls
• Abuse unlimited vault creation

23. Client-Side Security

Scope rule: Client-side issues must either keep the Safe locked (leakage while logged out / Safe closed) or, if the Safe is open, demonstrate plaintext or key material leaving the device (e.g., transmitted to our servers or an attacker-controlled origin) without the user’s knowledge.

• Persist vault secrets or metadata locally after logout despite the "no local storage or cookies" guarantee
• Leave decrypted vault data in browser cache/history that survives closing the Safe
• Client-side validation bypass that causes plaintext vault data or encryption keys to be sent off-device

Tier 4: Low/Informational Issues ($50 AUD)

Low-impact issues with minimal security risk but worth fixing.

24. UI/UX Bugs

• Vault interface rendering issues preventing access
• Randomized PIN keypad not rendering (authentication impossible)
• Critical buttons not functioning (save, delete, encrypt)
• Forms not submitting on critical flows

25. Security Best Practices

• Missing security headers with demonstrated impact
• Subresource Integrity (SRI) missing on critical scripts
• Content Security Policy (CSP) bypass
• Referrer Policy leaking sensitive URLs

26. Minor Information Leaks

• Verbose error messages revealing system details
• Debug endpoints accessible in production

Out of Scope (No Rewards)

Infrastructure

• AWS S3, AWS Lambda, AWS CloudFront infrastructure vulnerabilities
• Stripe payment processor vulnerabilities
• Google Workspace vulnerabilities
• Third-party CDN or hosting issues

Attack Types

• Denial of Service (DoS/DDoS) attacks
• Social engineering (phishing, pretexting)
• Physical attacks (device theft, shoulder surfing)
• Client device compromises (malware, memory scraping, privileged forensic tools) that only read plaintext while the Safe is open and never cause data to leave the device
• Timing or side-channel attacks (cache timing, electromagnetic analysis, etc.)
• Brute force attacks without demonstrating rate limiting bypass
• Self-XSS (user pasting malicious code into their own vault)

Non-Security Issues

• Typos or grammatical errors
• Feature requests
• UI/UX improvements without security impact
• Browser compatibility issues

Excluded Platforms

• Browser extensions (don't exist)
• Mobile apps (iOS/Android - not in current scope)
• Outdated browser versions (must test on latest Chrome/Edge/Firefox)

Previously Disclosed Issues

• Vulnerabilities already reported by another researcher
• Issues publicly disclosed before private reporting
• Duplicate reports

How to Submit a Vulnerability

1. Email: security@unolock.com

2. Use PGP Encryption (Recommended): Download our PGP public key

Report Should Include:

• Vulnerability Description: Clear explanation of the security issue
• Impact Assessment: What an attacker could achieve
• Reproduction Steps: Detailed step-by-step instructions to reproduce
• Proof of Concept: Code, screenshots, or video demonstration
• Affected Components: URL, API endpoint, or feature affected
• Suggested Fix: (Optional) How to remediate the vulnerability

Response Timeline

Rules of Engagement

You May:

• Create test accounts/vaults for research purposes
• Test on your own data only
• Use automated tools with rate limiting respect
• Test all in-scope platforms and features
• Report vulnerabilities confidentially

You Must Not:

• Access, modify, or delete other users' vaults or data
• Perform denial of service attacks
• Spam or abuse the platform
• Social engineer UnoLock employees or users
• Publicly disclose vulnerabilities before fix deployment
• Violate any laws or regulations

Safe Harbor

UnoLock commits to the following safe harbor for security researchers who:

• Follow the rules of engagement outlined above
• Report vulnerabilities responsibly to security@unolock.com
• Give us reasonable time to fix before public disclosure
• Do not exploit vulnerabilities beyond proof of concept
• Do not access, modify, or delete other users' data

We will not pursue legal action against researchers who comply with these terms. We consider good-faith security research conducted under this program to be authorized testing.

Payment Methods

Upon validation and fix deployment, rewards will be paid via:

• PayPal: Preferred for most researchers
• Bitcoin: Available for anonymous payments
• Wire Transfer: Available for large rewards (>$500 AUD)

Tax Responsibility: Researchers are responsible for any tax obligations in their jurisdiction.

Important Terms

Discretionary Rewards

All reward amounts are at UnoLock's sole discretion based on:

• Severity of impact
• Quality of report and reproduction steps
• Whether issue is in scope
• Whether issue is a duplicate
• Current budget availability

First Come, First Served

If multiple researchers report the same vulnerability, only the first valid report will be eligible for a reward.

Budget Cap

UnoLock reserves the right to pause the bug bounty program if the annual budget is reached. The program will resume at the start of the next fiscal year.

Reward Ranges

Reward amounts listed are ranges, not guaranteed payments. Final reward amount will be determined after vulnerability validation and impact assessment.

Program Changes

UnoLock reserves the right to modify or terminate this program at any time with 30 days notice.

Questions About This Program?

Security Team: security@unolock.com

PGP Public Key: unolock.com/.well-known/pgp-key.txt

General Support: support@unolock.com