Responsible Disclosure Policy

Updated Feb 2, 2023

Although we strive to keep our system secure, we are not naive enough to think that our applications are 100% flawless. We take security issues seriously and respond swiftly to fix verifiable security issues.

We encourage anyone to report security issues to

Who can participate in the program?

Anyone who doesn't work for Union Test Prep who reports a unique security issue in scope and does not disclose it to a third party before we have patched and updated.

How should reports be formatted?

We would like you to format your reports like this:

Name: %name
Bug type: %bugtype
Domain: %domain
Severity: %severity
URL: %url
PoC: %poc

Which domains are in scope?

In scope:

  • *
  • *

Out of scope:

  • Any domains that are not listed above

However, if you can prove that a bug under these domains has a significant impact (for example, fetching content on from, a bug on these domains may qualify anyway.

What bugs are eligible?

Any typical web security bugs such as:

  • Authentication bypass
  • Cross-site request forgery
  • Cross-site Scripting
  • File inclusion
  • Open redirect
  • Server-side code execution

What bugs are NOT eligible?

Disruptive bugs or bugs with no/low impact or likelihood such as:

  • Brute force attacks
  • Denial of service
  • Email spoofing, SPF, DMARC & DKIM
  • Hardening tips (such as missing CSP header or SRI attribute)
  • Missing Cookie flags on non-session cookies or 3rd party cookies Logout CSRF
  • Password policy improvements
  • Social engineering
  • Weak TLS ciphers

Other guidelines

Please don't perform research that could impact other users. Secondly, please keep the reports concise. If we fail to understand the logic of your bug, we will tell you.

We reserve the right to discontinue the reward program without previous notice at any time.