10Trust · Security

Responsible disclosure

Last updated: 2026-04-25 · Pre-launch

Found a security issue in Jubi? We'd rather hear it from you than read about it. This page is what's in scope, how to send it to us, and what we'll do for researchers acting in good faith.

How to report

Email security@jubi.my. Include:

A clear description of the issue and its security impact.
Steps to reproduce, ideally with proof-of-concept code or a video demonstration.
Your contact details so we can follow up. Reports may be submitted anonymously, but we cannot extend acknowledgement or recognition to anonymous reporters.
Whether you intend to publish the finding, and a proposed disclosure date.

A signed PGP key for encrypted reports is on the roadmap. Until then, please redact any customer data in your report and refer to records by an opaque identifier.

Scope

The following are in scope:

Production properties operated by Jubi: jubi.my and its subdomains, the customer console, and the Jubi-operated platform endpoints.
The Jubi mobile and web client applications.
Vulnerabilities affecting authentication, authorisation, tenant isolation, the audit log, or AI safety boundaries (prompt injection, output validation bypass, Atlas grounding bypass).

The following are out of scope:

Third-party systems Jubi depends on but does not operate (model providers, hyperscaler infrastructure, customer-side IdPs and warehouses). Report those to the operator of the affected system.
Social engineering of Jubi staff, customers, or contractors.
Physical attacks on Jubi or its data centres.
Denial-of-service or volumetric attacks.
Findings that require a privileged position the attacker would not realistically have (compromised employee endpoint, root on the customer's machine).
Issues already known to us, already publicly disclosed, or already reported by another researcher.
Best-practice or hardening recommendations that do not constitute a vulnerability (e.g. missing security headers without a demonstrable impact).
Automated scanner output without manual validation and demonstrated impact.

Safe harbour

If you research in good faith and within this policy, Jubi will:

Treat the research as authorised under applicable computer-misuse laws to the extent we are able to do so under the law;
Not pursue civil action against you for activities that are within scope and consistent with this policy; and
Work with you on coordinated disclosure.

Good-faith research means: minimum data access necessary to demonstrate the issue; no exfiltration of customer data; no destruction or modification of data; no disruption of service; reasonable rate limits on testing traffic; immediate stop and report if you encounter unexpected access to customer data.

Out of scope behaviours forfeit safe harbour and may result in account suspension and, where appropriate, referral to law enforcement: data exfiltration beyond what's necessary to demonstrate the issue; deliberate denial-of-service; pivoting to other systems; targeting other customers' tenants; demanding payment or threatening publication as leverage; or any action that would be illegal under applicable law independent of this policy.

Safe harbour does not extend to anyone subject to U.S. or other applicable sanctions, or located in a jurisdiction sanctioned by the Government of Malaysia or our payment processors.

Coordinated disclosure

We aim to acknowledge a valid report promptly, triage soon after, and keep you reasonably updated as we work on a fix.
Standard coordinated disclosure window is 90 days from the date we acknowledge the report. We may request an extension if the fix requires significant engineering work, vendor coordination, or carries customer-side complexity. We will explain the reason if we do.
We may request that you delay public disclosure until customers have had a reasonable opportunity to patch or update.
If we and the reporter cannot agree on a disclosure timeline, we will discuss in good faith and take reasonable steps to protect customers in the interim.

Recognition

For valid reports of new, in-scope vulnerabilities we will, with your consent, acknowledge you in our security acknowledgements (planned for GA). Where local law permits and we are otherwise able, we may extend a recognition reward; this is at our sole discretion and is not a contractual entitlement.

We do not currently operate a paid bug bounty programme. If we launch one, the terms (eligibility, payout schedule, exclusions) will be published separately.

What we ask researchers to avoid

Do not access, modify, or save customer data beyond what is strictly necessary to demonstrate impact. If you encounter customer data, stop and report.
Do not run scans or tests that materially affect availability for other users.
Do not perform testing during periods we have asked you to pause (e.g. during an active customer incident).
Do not use findings for any purpose other than coordinated disclosure to Jubi.
Do not publicly disclose details before the agreed disclosure date.

Customer-side red teaming

Customers may, under their engagement, conduct authorised security testing of their own tenant. This is not a vulnerability programme; it is a contracted activity. Email security@jubi.my in advance with the planned scope, window, and source IP ranges so we can avoid blocking legitimate test traffic and so the activity is correctly attributed in our logs.

Reservations

Jubi reserves the right to update or withdraw this policy, modify scope, decline to triage reports outside scope, decline recognition, and take any action it considers appropriate to protect its customers, its platform, and other researchers. Nothing in this policy creates a binding contractual obligation; the safe-harbour commitments above are extended as a matter of programme conduct.

Reports: security@jubi.my · Machine-readable contact: security.txt

Legal notice. This policy is provided for the benefit of researchers acting in good faith and applies to research that complies with all applicable law and the conditions stated above. It does not authorise activity that would be illegal in the researcher's jurisdiction, the jurisdiction where the research takes place, or in Malaysia. It does not waive Jubi's contractual rights with respect to its customers, vendors, employees, or any third party. Where this policy conflicts with a separate agreement between you and Jubi (for example, a bug bounty agreement signed in the future), the separate agreement controls.