U Mobile’s Vulnerability Disclosure Policy

At U Mobile, we are committed to protecting the privacy and security of our customers and employees, taking continual steps to ensure the protection of the services we provide.

A security vulnerability is an IT security weakness in a product or service that could allow an attacker to compromise the integrity, availability, or confidentiality of that product or service. If you discover a potential security vulnerability in any of our products, systems or services, we encourage you to report it so we can address it quickly. This policy explains how to do that responsibly.

How To Report a Vulnerability

If you identify a security vulnerability, please follow the steps below to report it:

1.        Please submit your report to our security team at Bugreport@u.com.my

2.        When submitting your report, please provide the following information:

            a. A clear description of the security vulnerability and the location;

            b. Steps needed for us to reproduce the issue (these include proof of concept scripts, screenshots or screen captures);

            c. Any potential impact of the security vulnerability;

            d. Affected systems or services; and

            e. Your contact information.

If you share your contact information and personal details, we will use that information to clarify the details of your report with you. To learn more about how your personal information is handled, please visit U Mobile’s Privacy Notice; https://www.u.com.my/en/personal/support/terms-conditions/others/privacy-notice

We do not guarantee that you will receive any response from us related to your report and we will only contact you if we deem it necessary.

Terms and Conditions

By making a report or communicating a report to U Mobile, you acknowledge and agree to be bound by the terms and conditions below:

1. You agree that U Mobile may use the report for any purpose deemed necessary, including for rectifying reported security vulnerabilities and errors and that U Mobile deems to exist and to require correction.
2. You agree to waive all proprietary rights or claims in relation to any suggestions included in your report.
3. You will not access or modify data, systems or services without authorization or use the information related to the report or your findings for any purpose other than for making a report to U Mobile.
4. You will report the vulnerabilities responsibly, with the goal of improving security.
5. You will not disclose publicly or to any third party including on any social media forums any information about your report, the reported vulnerabilities or errors or any other discovered or potential vulnerabilities, including the fact that vulnerabilities have been reported to U Mobile and any action taken by U Mobile as a consequence of your report.
6. You have not and will not undertake any actions which may breach applicable laws in connection with your report and your interaction with U Mobile’s product or service that led to your report, and you will comply with applicable laws at all times including those related to privacy and security of personal information.
7. You will not resell or redistribute U Mobile’s data and information.
8. You have not used, misused, deleted, altered or destroyed, and will not use, misuse, delete, alter or destroy, any data that you have accessed or may be able to access in relation to the vulnerability or error discovered.
9. You have not engaged, and will not engage, in testing or researching U Mobile’s systems, platforms, products and services with the intention or effect of causing damage, losses or any harm to U Mobile, its customers, employees, partners or suppliers.
10. You have not tested, and will not test, the physical security of any property or, building of U Mobile.
11. You have not conducted, and will not conduct, social engineering, spamming, phishing, denial-of-service (DoS), Distributed Denial of Service (DDoS) or resource-exhaustion attacks or any activities involving unauthorised access to personal, confidential or sensitive data.
12. You agree not to access or attempt to access any sensitive  data (including personal data, financial information, proprietary information or trade secrets of any party including U Mobile) during your testing. If you gain access to such data while testing, stop and alert us immediately and if accidentally stored, you will immediately delete and not retain any copies. You agree not to store, transfer, transmit, copy or create derivative works from any data or U Mobile’s data.
13. Any information you receive or collect about U Mobile or any U Mobile customers or any action taken by U Mobile or any discussions with U Mobile  through participation in this policy (Confidential Information) must be kept confidential and only used in connection with this policy. You agree (i) to hold the Confidential Information in strict confidence, (ii) to protect the Confidential Information from any unauthorized use or disclosure, (iii) not to disclose the Confidential Information to any third party including the public, (iv) not to use the Confidential Information for any purpose other than in connection with participation in this policy, and (v) to notify us if you discover any unauthorized disclosure of the Confidential Information.
14. You warrant that your report does not violate any third-party intellectual property rights and you assign free of charge to U Mobile all intellectual property rights in your report.
15. By submitting a report, you acknowledge that you have no expectation of payment and that you expressly waive any future pay claims against U Mobile  related to your submission. However, as a gesture of our appreciation for your responsible disclosure, U Mobile may at its sole and absolute discretion offer token rewards or other benefit to anyone who responsibly and ethically discloses security issues to us while adhering to this policy.  

Your efforts in reporting security vulnerabilities help us improve the security of our products and services and protect our customers. Thank you for working with us to keep our systems safe and maintain trust in our products and services.