Vulnerability Disclosure Policy

Unilever is committed to safeguarding and protecting our information and any other information entrusted to us.

This means we take cyber security issues very seriously and recognise the importance of privacy, security, and community outreach. As such, we are committed to addressing and reporting security issues through a coordinated and constructive approach; designed to drive the greatest protection for technology users and protection of Unilever information along with information relating to our customers, consumers and employees.

When properly notified of legitimate issues, we will do our best to acknowledge your vulnerability report, assign resources to investigate the issue, and fix potential problems as quickly as possible. Whether you are a user of Unilever products, a software developer, or simply a security enthusiast, you are an important part of this process.

Reporting security issues

If you believe you have discovered a vulnerability in a Unilever asset / system or have a security incident to report, please fill out this form or send an email to unilever-vdp@submit.bugcrowd.com.

In all cases, you must:

Respect our privacy. Contact us immediately if you access anyone else’s data, personal or otherwise. This includes usernames, passwords and other credentials. You must not save, store or transmit this information.
Act in good faith. You should report the vulnerability to us with no conditions attached.
Work with us. Promptly report any findings to us, stopping after you find the first vulnerability and requesting permission to continue testing. Allow us a reasonable amount of time to resolve the vulnerability before publicly disclosing it.

And you must not:

Exfiltrate data. Instead use a proof of concept to demonstrate a vulnerability.
Exploit a vulnerability to disable further security controls.
Perform social engineering.
Use automated scanners.

Next Steps

Upon receipt of vulnerability / security report, Unilever will undertake a series of steps to address the issue:

Unilever requests the reporter keep any communication regarding the vulnerability confidential.
Unilever investigates and verifies the vulnerability.
Unilever addresses the vulnerability and releases an update or patch to the software. If for some reason this cannot be done quickly or at all, Unilever will provide information on recommended mitigations.
Unilever will endeavour to keep the reporter apprised of every step in this process as it occurs.

We greatly appreciate the efforts of security researchers and discoverers who share information on security issues with us, giving us a chance to improve our products and services, and better protect our customers. Thank you for working with us through the above process.

Our company

History & Archives

Latest news stories

Press and media

Brands

Beauty & Wellbeing

Personal Care

Home Care

Nutrition

Innovation

What's in our products?

Planet & Society

Climate action

Protect and regenerate nature

Waste-free world

Positive nutrition

Health and wellbeing

Equity, diversity and inclusion

Raise living standards

Future of work

Respect human rights

Responsible business

Sustainability reporting centre

Safety and Environmental Science

Take action

Suppliers

Partner with Purpose

Investors

Results, presentations and webcasts

Annual Report and Accounts 2022 Highlights

Shareholder centre

Debt investors

Corporate governance

News and announcements

Vulnerability Disclosure Policy

Reporting security issues

Next Steps