UiPath Security

UiPath maintains a comprehensive information security management system and engages independent auditors to provide industry-standard certifications and attestations.

Additional details regarding the UiPath technical and organisational measures are available in UiPath Information Security Exhibit.

UiPath defines information security related roles and responsibilities across the organisation from the executive management (CISO, CPO, CTO, CLO) to employees and contingent staff.

UiPath Bug Bounty Program aims to leverage the expertise of HackerOne's ethical hacker community to find vulnerabilities in our RPA Platform and surrounding ecosystem in order to keep our customers, partners and community users safe from malicious activities.

If you find a vulnerability on any systems that you feel are part of the UiPath organization, please send us an email at hackerone@uipath.com. 

The Program focuses on high priority items such as:

• Identifying and exploiting vulnerabilities in the implementation of Orchestrator and Robot that will permit escalation of privileges and perform out of rights/bound actions on Orchestrator.

• Identifying publicly discoverable/accessible service end-points for UiPath.

• Discovering management level secrets such as passwords.

• Gaining control over the Orchestrator machine(s) in an on-premise scenario where the threat actor (malicious entity) is not a provisioned user on Orchestrator at application layer or OS level but is able to join the network on which robot and Orchestrator is deployed.

• Using manual analysis or tools to conduct an objective evaluation of the Orchestrator application against OWASP Top 10 2017 Application Security Risks.

• Injecting or uploading executable code into Orchestrator application that eventually runs itself, via interactive methods or access through APIs.

Before every GA/Major release for our products, we run:

• Static Code analysis, 3rd Party Dependencies Vulnerability Scans, Dynamic analysis

• 3rd Party Dependencies scans - Licenses and Vulnerabilities

• Anti-Malware Scans

Issues found go through a triage process and through a remediation process, as necessary.

Following testing and remediation, all UiPath products including official activity packages are code-signed by UiPath to provide authenticity and integrity. Partner and open-source packages included in UiPath offerings also go through the same testing, but are typically code-signed by their respective authoring body. 

Security SDLC Tasks implemented as appropriate: