A material solutions company

UPM’s Vulnerability Disclosure Program

Vulnerability Disclosure Philosophy

At UPM, we are committed to keeping our employees and customers’ data secure and protected. Security is a top priority for us, and we value the contributions of independent security researchers in identifying potential vulnerabilities that may impact the safety of our digital assets. If you believe you have discovered a potential security vulnerability affecting our services, please let us know in the form below. UPM defines a security vulnerability as an unintended weakness, flaw or exposure that could be used to compromise the confidentiality, integrity, or availability of UPM’s data, products and services.

For any activity conducted in accordance with the Vulnerability Disclosure Policy guidelines below, UPM will not lead to legal action against you. UPM may modify this policy any time at its sole discretion.

Submit the report
 
 

Vulnerability Disclosure Guidelines

  • Do not disclose any potential security issues to any third parties or channels, including but not limited to social media.
  • Only use the least harmful and non-disruptive tactics to confirm whether a vulnerability is present.
  • Do not engage in any form of social engineering, such as phishing our customers, potential customers or employees.
  • Do not engage in acts of intimidation or extortion.
  • Do not perform attacks on our infrastructure.
  • Do not perform automated, or Denial-of-Service attacks.
  • Do not access, download, modify or disclose data residing in an account that doesn’t belong to you.
  • Do not violate the privacy of others, disrupt our systems, destroy data, or harm users.
  • Do not violate laws and regulations applicable to our services.
  • If a vulnerability provides unintended access to data, cease testing and submit a report immediately (e.g., if you encounter user data such as personal or proprietary information during testing).
  • Submission of a report does not create an employment or agency relationship between you and UPM.
 
 

Scope

 

In Scope:

The scope of UPM’s Vulnerability Disclosure Program is limited to the public-facing services and web applications, cloud-based services and third-party integrations (where applicable) owned, operated or maintained by UPM. The policy covers vulnerabilities that could affect the confidentiality, integrity, or availability of UPM’s data, systems, users and customers.

Out of Scope:

The scope of UPM’s Vulnerability Disclosure Program doesn’t include social engineering (e.g., phishing) attacks, physical security vulnerabilities, Denial-of-Service (DoS) attacks, automated attacks and vulnerabilities in third-party systems not directly managed by UPM.

 

Vulnerability Reporting

Please submit the report as soon as possible after discovering a vulnerability within the specified scope.Provide sufficient information to reproduce the issue so we can resolve it as quickly as possible. Please use the official reporting form below for submissions.Reports must be submitted in English.

We will keep you reasonably informed of the status of any validated vulnerability that you report through this program.

UPM values your efforts in helping us maintain a secure environment for our employees, customers and services.