Responsible Vulnerability Disclosure¶
This page is for independent security researchers who are willing to report or want to start looking for, vulnerabilities on SyncSign platform.
The information on this page is intended only for security researchers who are interested in reporting security vulnerabilities on SyncSign. If you are a SignSign holder and have questions, you can contact our customer service team help[at]sync-sign.com
If you believe that you have discovered a security vulnerability on SyncSign, we strongly encourage you to inform us and to not disclose the vulnerability publicly.
Reporting a potential security vulnerability:
Privately send details of the vulnerability to SyncSign team by sending an email to dev[at]sync-sign.com
Please provide full details of the vulnerability, including:
Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.)
Product and version that contains the bug, or URL
Service packs, security updates, or other updates for the product you have installed
Any special configuration required to reproduce the issue
Step-by-step instructions to reproduce the issue on a fresh install
Proof-of-concept or exploit code
Impact of the issue, including how an attacker could exploit the issue
SyncSign follows Coordinated Vulnerability Disclosure (CVD) and, to protect the ecosystem, we request that those reporting to us do the same.
Please import SyncSign Security Response Center PGP Key:
gpg --keyserver hkps://keyserver.ubuntu.com --search-keys 28BAF70937CD1697
Please verify the fingerprint:
pub rsa2048 2019-09-20 [SC] [expires: 2021-09-19]
3B88 B94C 833F 05BF CF31 6994 28BA F709 37CD 1697
uid [ultimate] SyncSign <dev@sync-sign.com>
sub rsa2048 2019-09-20 [E] [expires: 2021-09-19]
We appreciate your assistance, and we review all reports and do our best to address the issues within the specified time frame.