Security at Ubiq

Security is at the core of everything we do – our culture, our values, and our day-to-day.

Our customers trust us with a critical part of securing their business – in addition to internal security controls and policies and secure application development practices – Ubiq routinely works with several industry-leading security firms to ensure that we are constantly assessing, validating, and improving our security posture.

Compliance

Ubiq is compliant with SOC 2 Type 2 standards and undergoes regular third-party audits, security reviews, and penetration tests to maintain our certification (and ensure a safe and trustworthy service).

If you are an Enterprise customer and would like access to Ubiq's SOC 2 Type 2 report, please email us at [email protected]. Please note that as standard practice, our certification reports are only released under a non-disclosure agreement.

HTTPS for secure connections

Ubiq enforces HTTPS for all services using TLS (SSL), which includes our Dashboard and our website.

  • Ubiq’s official libraries connect to Ubiq’s servers over TLS and verify TLS certificates on each connection

Vulnerability disclosure and reward program

Keeping our platform safe and secure is a top priority for us at Ubiq. We welcome the contribution of external security researchers and look forward to awarding them for their invaluable contribution to the security of all of our customers.

If you believe you’ve discovered a bug in Ubiq’s security, please get in touch at [email protected] Our security team quickly investigates all reported security issues and will respond as quickly as possible to your report. We request that you not publicly disclose the bug until it has been addressed by Ubiq.

Security researchers are an invaluable asset to the internet community, and we appreciate the hard work that goes into security research to keep our platform safe. To demonstrate and reinforce our appreciation, we maintain a reward program for responsibly disclosed vulnerabilities. Ubiq rewards the confidential disclosure of any implementation or design issue that could be used to compromise the integrity or confidentially of our users’ data (such as by bypassing our login process, injecting code into another user’s session, or instigating action on another user’s behalf).

Here are some key points about our program:

  • A minimum reward of $250 USD may be provided for the disclosure of qualifying bugs.
  • At our discretion, we may increase the reward amount based on the creativity or severity of the bugs. * If you report a vulnerability that does not qualify under the above criteria, we may still provide a minimum reward of $100 USD if your report causes us to take specific action to improve Ubiq’s security.
  • Like most security reward programs, we hope that you’ll use common sense when looking for security bugs.
  • Vulnerabilities must be disclosed to us privately with reasonable time to respond and avoid compromise of other users’ accounts.

As with most security reward programs, there are some restrictions:

  • We will only reward the first person to responsibly disclose a bug to us
  • Any bugs that are publicly disclosed without providing us a reasonable time to respond will not be rewarded
  • Whether to reward the disclosure of a bug and the amount of the reward is entirely at our discretion, and we may cancel the program at any time
  • Your testing must not violate any laws
  • We can’t provide you a reward if it would be illegal for us to do so, such as to residents of countries under current U.S. sanctions.

Ineligible Vulnerabilities

Furthermore, Ubiq does not consider the following to be eligible vulnerabilities:

  • Phishing or Social Engineering Techniques
  • Self-XSS
  • Denial of service
  • Reports of spam
  • Content/text spoofing
  • "Session too long," password reset/change logout or other intended business functionality
  • Unconfirmed reports from automated vulnerability scanners
  • Disclosure of server or software version numbers
  • Hypothetical sub-domain takeovers without supporting evidence
  • Cookie valid after password change/reset
  • Email validation not enforced
  • Session invalidation or other improved security related to account management when a credential is already known (e.g., password reset link does not immediately expire, adding MFA does not expire other sessions, etc.)
  • Perceived security weaknesses without concrete evidence of the ability to compromise a user (e.g., missing rate limits, missing headers, etc.)
  • Reports exploiting the behavior of, or vulnerabilities in, outdated browsers
  • Use of “weak” TLS ciphers
  • SSRF (unless there is evidence that the vulnerability allows an attacker to access Ubiq internal systems or user data)

In Scope

Ubiq and all services offered by Ubiq are eligible for reward, including assets in the following domains:

  • *.ubiqsecurity.com

Out of Scope

Vulnerabilities in third-party applications that use Ubiq are not eligible.