Vulnerability Disclosure Policy

Last Updated: November 2, 2025.

UnoLock Vulnerability Disclosure Policy

1.1 Introduction

Techsologic Incorporated (Corporation Number 734340-0, headquartered at 150 Elgin Street, 8th Floor, Ottawa, ON K2P 1L4, Canada), provider of the UnoLock platform, including all services, features, applications, and websites (collectively, the "Services"), establishes this Vulnerability Disclosure Policy to guide security researchers, customers, and partners in responsibly reporting potential security weaknesses. This policy, incorporated into the UnoLock Terms of Service ("Terms") at https://www.unolock.com/tos.html, reinforces our zero-knowledge architecture, Absolute Anonymity, and compliance obligations under Canadian law (PIPEDA), GDPR, HIPAA, and other privacy regulations, as referenced in Section 6 (Data Security and Encryption), Section 9 (Privacy and Anonymity), and Section 17 (Compliance with Privacy Regulations) of the Terms.

1.2 Scope and Objectives

This policy covers vulnerabilities affecting the security, confidentiality, integrity, or availability of the Services, including web applications, mobile applications, APIs, infrastructure, and supporting components. It encourages good-faith research that respects our users and systems, aligns with Section 5 (User Responsibilities) of the Terms, and helps us remediate issues without exposing sensitive data.

Need architectural context before testing? Consult the Technical Security Overview and the Threat Model for protocol details, key hierarchies, and mapped mitigations.

1.3 Reporting Channels

Submit suspected vulnerabilities to the UnoLock Security Team using one of the following channels:

Email: security@unolock.com (encrypt with the PGP key at https://www.unolock.com/.well-known/pgp-key.txt for sensitive content).
Support Portal: https://www.unolock.com/support.html.
Emergency Escalation: Mark the subject "URGENT" when reporting actively exploited or high-impact vulnerabilities so the on-call responder is paged.

Our .well-known/security.txt file (RFC 9116) mirrors these contact points to assist automated tooling and security scanners.

1.4 Submission Guidelines

To facilitate rapid triage, include the following details where possible:

Issue description with clear steps to reproduce, including affected endpoints, parameters, and payloads.
Impact analysis explaining the security risk, potential exploitability, and any prerequisites.
Environment details such as browser, operating system, UnoLock client version, and tooling used during testing.
Proof of concept output or logs demonstrating the issue, while avoiding destructive actions or accessing data belonging to others.

Do not submit malware binaries, personal data of other users, or bulk vault exports. If sensitive data is inadvertently accessed, cease testing immediately, sanitize it, and report the exposure.

1.5 Testing Rules and Out-of-Scope Areas

Good-faith research excludes activities that could harm users or disrupt Services. The following activities are prohibited:

Denial of Service (DoS), volumetric traffic flooding, or stress testing production systems.
Social engineering, phishing, or physical security attacks against Techsologic staff, contractors, or customers.
Accessing, modifying, or deleting data that does not belong to you, including vault contents or payment information.
Using automated scanners that bypass rate limiting or deploy exploit code beyond controlled proof-of-concept testing.

Focus research on vulnerabilities that materially affect security posture. Reports concerning missing security headers, clickjacking on non-sensitive pages, or issues requiring rooted/jailbroken devices may be deprioritized unless accompanied by a clear impact narrative.

1.6 Safe Harbor Commitments

Techsologic will not initiate legal action against researchers who comply with this policy, operate in good faith, and avoid privacy violations or service disruptions. Good-faith testing should stop immediately upon discovering a potential issue, and findings should be reported without public disclosure until remediation is complete, consistent with Section 14 (Modifications to Terms) and Section 17 (Compliance) of the Terms.

1.7 Triage and Response

We follow a structured triage process to collaborate with researchers:

Acknowledgment: We aim to acknowledge reports within 48 hours, providing a tracking reference and initial severity assessment.
Verification: Issues are validated and risk-rated using CVSS and internal threat models. Duplicate submissions are linked to the original reporter.
Remediation: Mitigations or fixes are deployed based on severity, with periodic updates shared at least every five business days until closure.
Disclosure coordination: Once remediated, we coordinate public communication timelines with the reporter before publishing advisories.

Critical vulnerabilities that threaten user vault confidentiality or authentication integrity receive immediate escalation to the engineering incident response team.

1.8 Data Handling and Zero-Knowledge Constraints

UnoLock’s zero-knowledge design means safes are encrypted and provisioned entirely on the client. We never possess users’ encryption keys, cannot decrypt vault contents, and do not maintain telemetry that links a safe to a particular individual. When validating a report, we may request reproducible metadata from the reporter because we cannot inspect user vault data or recreate customer-specific states. Any diagnostic logs you provide should exclude personal information wherever possible.

1.9 Recognition

While UnoLock does not presently operate a monetary bug bounty program, we value responsible disclosures. With your consent, we may recognize significant findings on our Security Acknowledgements page at https://www.unolock.com/security/acknowledgements once remediation is complete.

1.10 Policy Updates

Techsologic may revise this policy to reflect changes in the Services, legal requirements, or disclosure workflows. Material updates will be posted at https://www.unolock.com/support.html with 30 days’ notice where feasible. Continued use of the Services after the effective date constitutes acceptance of the revised policy, per Section 14.5 of the Terms.

1.11 Contact Information

For inquiries or follow-up on submitted reports, contact:

Mail: Techsologic Incorporated, 150 Elgin Street, 8th Floor, Ottawa, ON K2P 1L4, Canada
Email: security@unolock.com
Security Reports: https://www.unolock.com/support.html
Support Portal: https://www.unolock.com/support.html