StarHub Vulnerability Disclosure Program (VDP)

At StarHub, we are committed to protecting the privacy and security of our users. The safety, reliability and security of our platforms, products and services are of top priority.

StarHub recognises that despite our ongoing best efforts and security systems in place, due to the nature, complexity and ongoing advancements of out platforms, products and services, there may be potential vulnerabilities and errors present in our environment.

StarHub established the Vulnerability Disclosure Program (VDP) as it recognises the value of working with the cybersecurity community, individuals, groups, and companies to help keep, maintain and improve the integrity and security of our platforms, products and services, making them safe for all users.

This policy aims to describe StarHub’s approach in requesting for and receiving credible reports related to potential vulnerabilities and errors found in the platforms, products and services rendered by StarHub.

You are encouraged to report potential vulnerabilities and errors identified using the form at the bottom of this page.

Reporting is entirely voluntary and at your discretion. Please note that should you proceed to report, you are consenting to the terms and conditions set out on this page. If you are submitting a report on behalf of a company or group, you must be an authorised representative of the relevant company/group to do so and you warrant and consent that you have authority to submit a report on behalf of the relevant company/group.

By submitting the report using the form on this page, you agree to be bound to the following terms and conditions:

• StarHub may use the report submitted for any purpose deemed relevant by StarHub at its discretion, including without limitation, to patch validated vulnerabilities and errors by StarHub and to take on and act upon any proposed changes and/or improvements set out in the report, etc.
• To the extent that you propose any changes and/or improvements to StarHub’s platform, product or service in the report, you assign all use and ownership rights for such proposals to StarHub.
• For the avoidance of doubt, StarHub has no obligations to attend to and/or act on the proposed changes set out in your report if it deems at its discretion that the suggestions are not relevant.
• It would be your sole discretion to provide your contact information when submitting the vulnerabilities and errors report to StarHub. Should you include your contact information and personal details, you are providing StarHub with express consent for the collection, use and/or disclosure of information (including personal information) for the purposes set out in the VDP policy. To learn more about how your personal information is handled, please visit our Privacy Policy and Data Protection Policy.
• StarHub does not guarantee that you will receive any response from StarHub to your report. However, StarHub may contact you for further clarifications if StarHub deems that it is necessary.
• You agree that the report is made without any expectation or requirement of reward or other benefit, financial or otherwise, for making such report, and without any expectation or requirement that the vulnerabilities and/or errors reported are corrected by StarHub.
• You shall not undertake any actions which may breach applicable laws and regulations and shall comply with the same at all times. StarHub shall not provide you with any exemption, immunity, indemnity, or shield from civil or criminal liability under applicable laws and regulations. The VDP does not authorise or permit the taking of any action which may contravene applicable laws and regulations.
• You are expected to conduct yourself in a responsible manner at all times.
• You shall ensure that at all times, that you do not damage or cause harm to StarHub’s infrastructure. You shall comply with StarHub’s requirements and its company policies and shall not attempt to alter or attempt to manipulate the pages of the VDP reporting portal and/or StarHub’s pages in such a way as to disguise, hijack, or modify the site and/or pages.
• You shall not resell or redistribute StarHub’s data and information.
• You shall not engage in testing or research of StarHub’s platforms, products, services and systems with the intention or effect of causing damage, harm, or loss to StarHub.
• You shall not publish or disclose any potential vulnerabilities discovered to any third party without the consent of StarHub. This is to prevent malicious actors from exploiting the vulnerabilities that may cause damage, harm, or loss to StarHub.
• You shall not engage the use of any unlawful means to such as social engineering, spamming, phishing, denial of service, brute force attacks, or attacks on physical security to discover vulnerabilities.
• StarHub will not be obliged to consult you for media or public release of statements of the potential or validated vulnerabilities.
• StarHub will not be obliged to provide any financial incentives of any potential or resolution of validated vulnerability.