Introduction

NTUC Enterprise (NE) is committed to provide a secure environment for the general public and customers using our online services. While we conduct regular scanning of our online services to identify and fix as many security vulnerabilities as we can, we may not be able to uncover all the vulnerabilities. We will be glad to hear from you if you encounter security vulnerabilities when accessing our online services, through our public facing websites or mobile applications.

Our Vulnerability Disclosure Programme aims to provide a set of rules and guidelines to facilitate reporting of security vulnerabilities in our online services, and how we will work with you after a vulnerability has been reported.

Scope

The online services of NE and its Social Enterprises (SEs) listed below are within the scope of this Programme.

• ntucenterprise.recruiterpal.com/career
• www.ntucenterprise.sg
• Fairprice Online Mobile Application
• www.fairprice.com.sg
• www.fairpricefoundation.org
• www.fairpricesupplychain.com
• unity.com.sg
• cheers.com.sg
• link.sg
• ntuclearninghub.com
• myfirstskool.com
• littleskoolhouse.com
• ntucfirstcampus.com
• fairpricegroup.com.sg
• learnwithmfs.com
• laupasat.sg
• LearningHub Learning eXperience Platform (LXP) Mobile Application
• www.ntuchealth.sg
• www.kopitiam.biz
• www.foodfare.com.sg

In the interest of the safety of our customers, staff and the Internet at large, we seek your understanding to avoid the following testing types:

• Social engineering (e.g. phishing, vishing)
• Network-level Denial of Service (DoS/DDoS)

Expectations

We look forward to the sharing of information by the wider community, to supplement our effort and commitment in safeguarding our systems, applications and data. We will acknowledge your responsible disclosure effort should your findings be accepted but we are unable to offer remuneration, fee or reward under this Programme.

We will make our best effort to provide an initial response to your report within 3 business days. Please keep information about any vulnerabilities you have discovered confidential between yourself and NTUC Enterprise for up to 90 calendar days and refrain from disclosing any vulnerabilities without prior written consent from us.

For vulnerabilities affecting services of our 3rd party providers, we will inform them of your findings since we are dependent on our providers for the fixes.

Rules and Guidelines

Please DO NOT take this Programme as permission or encouragement to hack, penetrate, or gain unauthorised access to our systems, applications or data. We seek your cooperation to act in good faith and comply with applicable laws and regulations, which may otherwise be considered an act of computer misuse.

• Avoid compromising the privacy of our customers, degrading user experience or disrupting the operation of our online services.
• Do not intentionally access non-public data any more than is necessary to demonstrate the vulnerability. If you inadvertently access other users' data, please let us know and do not store any such user data.

We are particularly interested in the following types of vulnerabilities and impacts:

• Remote code execution
• XSS resulting in access to sensitive data (e.g. session information)
• SQL injection resulting in access to sensitive data or functionality
• Business logic flaws that result in access to sensitive data or functionality

We are less interested in the following types of findings, which are more likely to get rejected as false positives or accepted risks:

• Unverified automated scanner results
• Issues that are unlikely to be exploitable or that do not have realistic security impact (e.g. UI/UX bugs and spelling mistakes)

To assist us with the validation, we appreciate if you can provide sufficient details in your report, including:

• Date / Time of vulnerability discovery
• Description of the vulnerability
• Location and potential impact of the vulnerability
• Steps, tools, and artifacts used during the discovery that are helpful for us to reproduce the vulnerability
• Supplementary information on the vulnerability which could include screen captures, videos, scripts and other documentations