Responsible disclosure

We welcome responsible disclosure. If you have found a vulnerability: · Email security@onset.my with technical detail, including reproduction steps. · We acknowledge within 24 hours and triage within 72 hours. · Do not exfiltrate customer data. Stop testing as soon as you've confirmed the vulnerability. · Do not publicly disclose the vulnerability before we've had reasonable time to remediate (default: 90 days, extendable for complex issues). Safe-harbour We will not pursue legal action against researchers who: · Make a good-faith effort to follow the rules above. · Avoid privacy violations, data destruction, and service disruption. · Do not extort us for payment as a condition of disclosure (a regular bounty is fine; coercive payment requests aren't). Rewards We currently run a private bounty programme via direct invitation. Public launch planned Q4 2026. Critical findings receive RM 500–5000 today on a goodwill basis.