Responsible Disclosure Policy

At Majid Al Futtaim we care deeply about maintaining the trust and confidence that our customers place in us. We understand that protection of customer data is a significant responsibility and requires our highest priority. We therefore take the security of our digital platforms extremely seriously, and we genuinely value the assistance of security researchers and others in the security community to assist in keeping them secure.

If you are a security researcher and have discovered a security vulnerability in one of our digital platforms (e.g. websites or mobile applications), we appreciate your cooperation in disclosing it to us in a responsible manner. We will validate and fix confirmed vulnerabilities in accordance with our commitment to security and privacy.


Security researchers should exclusively use the form at the end of this page to share the details of any suspected vulnerability, and not any other channel of communication, and include detailed information with steps for us to reproduce the vulnerability.


For a proper cooperative experience, below are the activities which are prohibited under this policy and considered incompliant:

  1. Publicly disclosing the details of any identified or alleged vulnerability without express written consent from Majid Al Futtaim
  2. Modifying data residing in an account that does not belong to you
  3. Accessing or downloading data beyond the minimum required to demonstrate a vulnerability. This should not exceed 1-2 records if at all necessary.
  4. Attempting to execute actions that disrupt the availability of our digital assets (e.g. any volumetric or denial of service attacks)
  5. Posting, transmitting, uploading, linking to, sending, or storing any malicious software
  6. Testing in a manner that would result in the sending of unsolicited or unauthorized junk mail, SMS, spam, or other forms of duplicative or unsolicited messages
  7. Testing in a manner that would degrade the performance or operation of any Majid Al Futtaim digital assets
  8. Testing third-party applications, websites, or services that integrate with or link to Majid Al Futtaim digital assets
  9. Making any changes in the system configurations, files, or data
  10. Introducing a backdoor in any digital asset
  11. Conducting non-technical attacks such as social engineering or phishing