Responsible Disclosure Policy
At Unifashia, we value the security of our systems and encourage security researchers to help us identify and address potential vulnerabilities. We have established a Responsible Disclosure Policy to facilitate the reporting and disclosure of any exploitable vulnerabilities found in our products, systems, or assets. By adhering to this policy, security researchers and ethical hackers can engage in responsible security testing without fear of legal repercussions.
Rules of Engagement
Researchers submitting a vulnerability to Unifashia must agree to abide by the terms of the Responsible Disclosure Policy.
The scope of what is considered in-scope and out of scope is clearly defined below.
Researchers must not engage in activities that violate user privacy, disrupt production systems, degrade user experience, or manipulate data.
Only necessary steps to confirm a vulnerability should be taken. Researchers must refrain from compromising or exfiltrating data, gaining unauthorized access, or attempting to pivot to other systems.
Once a vulnerability is identified or sensitive data is encountered, researchers must immediately cease further testing and promptly notify Unifashia. The confidentiality of discovered vulnerabilities must be maintained even after reporting.
Violation of applicable laws or breach of agreements in the process of discovering vulnerabilities may lead to legal action. The security team’s decisions regarding vulnerability validity, severity, and impact will be considered final.
Authorization
If researchers make a good faith effort to comply with this policy during their security research, Unifashia will consider the research authorized. We will collaborate with researchers to address the issues promptly, and no legal action will be taken against them.
Researchers should refrain from exploiting identified vulnerabilities that could extract customer or system information or impair our systems to be considered responsible disclosures.
Exploiting identified vulnerabilities for unlawful gains or unauthorized access to restricted information may result in legal consequences.
Policy Coverage Area
The Responsible Disclosure Policy applies to the following Mobile Apps and Websites under (or a sub-domain of) the domains:
unifashia.com
Unifashia Android App
Unifashia iOS App
If any vulnerabilities are discovered within the scope of this policy, researchers must immediately stop testing and notify Unifashia.
Out of Scope Vulnerabilities
The following vulnerabilities are considered out of scope and should not be reported:
General software-related bugs (e.g., SSL issues, older versions)
SPF/DMARC/DKIM records vulnerabilities without demonstrated compromise
Missing security headers or other security best practices without demonstrated compromise
Vulnerabilities related to outdated app versions or browsers (only current versions and the latest browser versions are accepted)
Exploits requiring MITM or physical access to the victim’s device
Clickjacking vulnerabilities
Unauthenticated/logout/login CSRF
Previously known vulnerable libraries without a working Proof of Concept
Content spoofing and text injection issues without showing an attack vector or the ability to modify HTML/CSS
Open redirect vulnerabilities
Missing CAA headers
Stack traces, directory listings, or path disclosures
Self XSS
Social engineering attacks against users or employees
Issues on non-company assets like GitHub, Cloud Providers, etc., that Unifashia may use
Forgot Password page brute-force and lack of account lockout enforcement
Lack of Captcha
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
Session Timeouts
Host Header Injection
Exposed API keys without clear demonstration of security impact
Exposed Google Map API keys and keys in Android XML files (currently out of scope)
General Rules – Do’s & Don’t
Do not launch Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
Automated tools or scripts are strictly prohibited.
Provide a proper step-by-step guide to reproduce the issue in any POC submissions.
Avoid privacy violations, user experience degradation, disruption of production systems, or data destruction during security testing.
Do not attempt unauthorized access to other people’s accounts, data, or personal information.
Use your real email address to report vulnerabilities to Unifashia.
Maintain confidentiality regarding any discovered vulnerabilities until approval for public disclosure is granted by Unifashia.
Do not use scanners or automated tools to find vulnerabilities.
Researchers must have the right, title, and interest to disclose any vulnerability found and to submit relevant information. By reporting a vulnerability, researchers grant Unifashia the right to use the disclosed information for appropriate purposes.
How to Report
If you identify a vulnerability within the scope of this policy, please report it to security@unifashia.com with the subject line “Suspected Vulnerability at Unifashia App/Website.” The email should include the following information:
Individual Details:
Full Name
Mobile Number
Public profile (Twitter, LinkedIn, Github, etc.)
Bug Details:
Name of the Vulnerability
Affected Application
Vulnerable Endpoint & Parameter
Impact
Detailed steps to reproduce
Remediation
Please keep your vulnerability reports current by sharing any new information that becomes available. Unifashia may share vulnerability reports with affected partners, vendors, or open-source projects.
Recognition
For helping us maintain the security of our systems, researchers whose verified reports result in the