Unity Technologies is committed to helping game developers build games easily and in a secure fashion. As part of this we encourage security researchers to test our security and find the things we miss. We look forward to seeing what you find!
What we expect from you
- Send us a full, detailed report (discussed below) as soon as possible upon discovery of a potential security issue
- Refrain from any disclosure to the public or a third-party before resolution of the issue.
- Make a good faith effort to avoid privacy violations, destruction/modification of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- If you have compromised a Unity server you will not use it for further chained attacks.
- Clean up after your tests. Both automated and manual tests can leave a number of dummy and spam entries, so we ask you to do your best to remove them after you're finished.
- By sending us a report or otherwise participating in our bug bounty program, you agree that you have read and understood this policy and agree to all its terms.
What you can expect from us
- We will respond to your bug report as quickly as we can.
- We will keep you updated on the progress of getting the issue fixed.
- Reward decisions are made once a week.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Scope and rewards
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email email@example.com. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
This bounty requires explicit permission to disclose the results of a submission.