Responsible Vulnerability Disclosure

This page is for independent security researchers who are willing to report or want to start looking for, vulnerabilities on SyncSign platform.

The information on this page is intended only for security researchers who are interested in reporting security vulnerabilities on SyncSign. If you are a SignSign holder and have questions, you can contact our customer service team help[at]sync-sign.com

If you believe that you have discovered a security vulnerability on SyncSign, we strongly encourage you to inform us and to not disclose the vulnerability publicly.

Reporting a potential security vulnerability:

Privately send details of the vulnerability to SyncSign team by sending an email to dev[at]sync-sign.com

Please provide full details of the vulnerability, including:

• Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.)

• Product and version that contains the bug, or URL

• Service packs, security updates, or other updates for the product you have installed

• Any special configuration required to reproduce the issue

• Step-by-step instructions to reproduce the issue on a fresh install

• Proof-of-concept or exploit code

• Impact of the issue, including how an attacker could exploit the issue

SyncSign follows Coordinated Vulnerability Disclosure (CVD) and, to protect the ecosystem, we request that those reporting to us do the same.

Please import SyncSign Security Response Center PGP Key:

gpg --keyserver hkps://keyserver.ubuntu.com --search-keys 28BAF70937CD1697

Please verify the fingerprint:

pub   rsa2048 2019-09-20 [SC] [expires: 2021-09-19]
      3B88 B94C 833F 05BF CF31  6994 28BA F709 37CD 1697
uid           [ultimate] SyncSign <dev@sync-sign.com>
sub   rsa2048 2019-09-20 [E] [expires: 2021-09-19]

We appreciate your assistance, and we review all reports and do our best to address the issues within the specified time frame.