Vulnerability Disclosure Policy

UG UAE LLC welcomes reports from security researchers and members of the public who identify vulnerabilities in the systems listed below. This policy describes how to report a vulnerability, what we ask of you, and what you can expect from us.

1. Scope

This policy applies to the following assets:

In scope

• The UG UAE public website and all subdomains owned and operated by UG UAE, including marketing surfaces published from this domain.
• The UG Cortex operator application served from UG UAE-controlled hosts; the specific production hostnames are provided to authorized researchers on request via security@ug-uae.co.
• Public APIs and software platform components made generally available by UG UAE, where their authoritative documentation references this policy.
• Mobile clients distributed through the Apple App Store and Google Play Store under the UG UAE publisher account, where applicable.

Out of scope

• Third-party services UG UAE does not own or operate (report to that vendor directly).
• Physical premises, personnel, and supplier facilities.
• Social engineering of UG UAE employees, contractors, clients, or family members.
• Findings derived from denial-of-service testing, volumetric load testing, or any test that degrades availability for other users.
• Findings derived from compromise of an end user's device or credentials rather than a defect in our systems.
• Reports based exclusively on the absence of "best-practice" headers, banner-version disclosure, missing rate limits without demonstrable impact, self-XSS, clickjacking on pages with no sensitive action, and similar low-severity informational findings, unless chained into a meaningful impact.

If you are unsure whether an asset is in scope, ask first at security@ug-uae.co.

2. How to report

Send your report to security@ug-uae.co. Encrypt sensitive reports using our PGP key:

• Key location: https://ug-uae.co/.well-known/security.txt and https://ug-uae.co/legal/security-pgp.asc
• Fingerprint: the current key fingerprint is published alongside the key at the locations above; verify it there before encrypting.

Please include:

• a clear description of the vulnerability and the affected asset;
• step-by-step reproduction instructions and any required preconditions;
• proof-of-concept artifacts (screenshots, request/response captures, minimal scripts) sufficient to reproduce without exfiltrating real data;
• an assessment of potential impact;
• the date and time of testing (with timezone) and the source IP addresses you used;
• whether you have shared, or intend to share, the finding with anyone else; and
• the name or handle you wish to be credited under, if any.

We acknowledge receipt within two business days.

3. Acceptable testing

We ask that you:

• act in good faith and avoid privacy violations, destruction of data, and interruption or degradation of service;
• limit testing to accounts you own or have explicit permission to test, and use only test data you create;
• stop testing and report immediately upon encountering any data that appears to be personal, regulated, or otherwise sensitive, and do not download, retain, transfer, or further access such data;
• avoid techniques that could harm reliability or availability, including denial-of-service, brute-force at scale, automated vulnerability-scanner runs without rate-limiting, and resource-exhaustion attacks;
• avoid social engineering of any person, including phishing, vishing, smishing, and physical-pretext approaches;
• avoid physical testing of UG UAE premises and supplier facilities;
• comply with all applicable laws of your jurisdiction and the jurisdiction in which the target system is hosted; and
• give us a reasonable opportunity to investigate and remediate before public disclosure (see §5).

4. Safe harbor

When you research and report in good faith and within the scope and conduct described in this policy, UG UAE:

• will not pursue or support legal action against you in respect of the conduct described;
• will treat your activity as authorized testing for purposes of the computer-misuse and unauthorized-access provisions of the laws of the United Arab Emirates as they relate to UG UAE-controlled systems, and of analogous laws of other jurisdictions where UG UAE is the system owner;
• will work with you in good faith to understand and resolve the issue promptly; and
• will publicly recognize your contribution if you wish (see §6).

This safe-harbor commitment does not, and cannot, bind third parties. If your testing inadvertently affects a system, account, or data not owned by UG UAE, separate authorization from that owner may be required, and UG UAE cannot grant it on their behalf. This commitment is subject to any mandatory carve-outs required by the laws of the United Arab Emirates.

5. Disclosure timeline

Our default coordinated-disclosure window is 90 calendar days from the date we acknowledge a valid report. We will work to remediate within this window and will provide status updates at reasonable intervals.

• If we need more time, we will explain why and seek your agreement to extend.
• If we resolve the issue earlier and the fix has been deployed to all affected production systems, we may shorten the window by mutual agreement.
• If the vulnerability is being actively exploited in the wild against UG UAE or its users, we may issue advisories on an expedited timeline regardless of the default window. We will also accept expedited disclosure proposals from researchers in such cases.
• Public disclosure outside the agreed timeline may forfeit safe-harbor coverage and acknowledgment.

We will not seek to suppress legitimate research outputs, and we will not condition acknowledgments on perpetual nondisclosure.

6. Acknowledgments

With your consent, we will acknowledge valid reports in a public hall of fame at https://ug-uae.co/legal/security-acknowledgments. You may opt in or out at the time of reporting. We do not at present operate a paid bug-bounty program; we will update this policy if that changes.

7. What this policy is not

• This policy is not a contract and does not create rights enforceable against UG UAE beyond those expressly stated.
• This policy does not authorize testing against client systems, government systems, or any system UG UAE does not own or operate.
• This policy does not supersede any non-disclosure agreement, contractor agreement, or employment obligation you may have with UG UAE.

8. Contact and updates

Questions about this policy: security@ug-uae.co. We may revise this policy from time to time. The version number and last-updated date at the top of this page identify the current version.

---

This is a published legal statement. The current version supersedes all prior versions. Last updated: 2026-06-09. For questions: legal@ug-uae.co.