Report a vulnerability or a security issue

Vulnerability Disclosure Programme (“VDP”)

The security and confidentiality of our customers' data, and the reliability and integrity of our systems, products, and services, are top priorities for UOB. We recognise that vulnerabilities or errors may occasionally arise, which is why UOB has introduced this VDP to address potential risks proactively.

Terms of reporting
We encourage customers, users, researchers, partners, and individuals interacting with our services to report potential, suspected, or identified vulnerabilities responsibly.

The following terms provides the guidelines for the responsible and direct submission of vulnerability reports to UOB, and applies to any security vulnerabilities, weaknesses or errors identified in UOB's products, services, applications, processes and/or online platforms.

By voluntarily submitting a vulnerability report to UOB, you confirm and agree that:

• You will not exploit the identified vulnerabilities or attempt to gain unauthorised access to our systems and data
• You will not disclose the vulnerability details, as well as the fact that you submitted a report to UOB, to third parties, or publicly
• Your report is made in good faith, with no expectation of financial incentive of any kind, or other rewards
• You assign all use and ownership rights of the reported vulnerability to UOB

Notwithstanding, the following activities are prohibited:

• Exploit vulnerabilities or errors for personal gain
• Disclose or using any proprietary or confidential UOB information or data
• Engage in social engineering, phishing, spamming, denial-of-service, or resource-exhaustion attacks
• Test physical security measures or attempting unauthorised access to systems not covered by this VDP

UOB will not be liable for any expense, damage, or loss of any kind which you may incur, whether directly or indirectly, as a result of the reported vulnerability. UOB’s acceptance of a vulnerability report does not constitute a waiver of any rights or claims for non-compliance with this VDP or applicable laws.

Confidentiality and Personal Data
We treat vulnerability reports with the utmost confidentiality.
By submitting your contact information and details, you consent to the collection, disclosure and processing of your personal data and your report for the following purposes, where applicable:

• Communicating with you regarding the reportedvulnerability;
• Verifying your identity and establishing the legitimacy of the reported vulnerability;
• Assessing and remediating the reported vulnerability;
• Performing analytics and research to enhance our cybersecurity resilience and capabilities;
• Improving our systems and processes;
• Auditing, managing risk, staff training and internal reporting;
• Preventing, detecting and investigating criminal offences;
• Complying with legal or regulatory obligations, including requests from regulatory and cybersecurity authorities; and reporting to relevant authorities;
• Legal purposes and proceedings (including but not limited to protection of UOB Group’s rights and interests, obtaining legal advice and facilitating dispute resolution); and
• Any other reasonable purpose related to the above.

We may disclose your personal data, information and findings to our related corporations, whether located in Singapore or elsewhere, in order for UOB and/or any of its related corporations to carry out the purposes above.

Report a vulnerability
If you believe you have identified a security issue, we encourage you to report it through our designated form on our Vulnerability Disclosure platform. We will validate and address vulnerabilities in accordance with UOB’s policies. By submitting a report, you agree to the terms outlined in this VDP.

UOB reserves the right to modify this VDP at any time.

We deeply appreciate your efforts to enhance our security and remain committed to taking appropriate action(s) to better protect our customers.