Vulnerability Disclosure Policy
Sequesign builds cryptographic receipt, witness, and audit-trail infrastructure, and we take the security of the Services seriously. We welcome reports from security researchers and will work with you in good faith to investigate and resolve valid issues.
Safe harbor
If you make a good-faith effort to comply with this policy during your research, we will consider your activity authorized, we will not pursue or support legal action against you for that research, and we will treat it as exempt from the prohibitions in our Terms of Service that would otherwise apply to probing the Services. If a third party brings a claim against you for activity conducted in compliance with this policy, we will make our authorization known. This safe harbor does not apply to activity that violates the guidelines below or that harms our users or their data.
Scope
The following are in scope:
- The Sequesign websites and dashboard at sequesign.com and its subdomains
- The Sequesign API
- The hosted verifier at verify.sequesign.com
- The hosted witness service
The following are out of scope:
- Systems and services operated by our providers, such as Cloudflare, Fly.io, Railway, Neon, Stripe, WorkOS, Resend, and Microsoft, which should be reported to those providers
- Denial-of-service and volumetric testing, and any testing that degrades or disrupts the Services or other users
- Social engineering, phishing, or physical attacks against Sequesign, its staff, or its providers
- Findings that require access to a victim device, a rooted or compromised endpoint, or a man-in-the-middle position you control
How to report
Send reports to security@sequesign.com. Please include enough detail to reproduce the issue, including the affected endpoint or component, a description of the impact, and the steps, requests, or proof-of-concept needed to confirm it. If you are able to encrypt your report, you may request our current public key at the same address.
Guidelines for researchers
To stay within this policy, please:
- Stop as soon as you have confirmed a vulnerability, and do not access, modify, delete, or exfiltrate data that is not your own
- Use only test accounts and test data that you control
- Avoid privacy violations, data destruction, and any interruption or degradation of the Services
- Keep the details of any vulnerability confidential until we have had a reasonable opportunity to remediate it
- Not demand payment as a condition of disclosing a vulnerability, and not publicly disclose before coordinated disclosure
Our commitments
When you report in good faith under this policy, we will acknowledge your report within five business days, work to validate and remediate confirmed issues on a timeline appropriate to severity, keep you reasonably informed of progress, and, if you wish, credit you once the issue is resolved. We aim to support coordinated disclosure and will agree a disclosure timeline with you, typically up to 90 days, that may be adjusted based on severity and remediation complexity.
Rewards
Sequesign does not operate a paid bug bounty program at this time. We are grateful for responsible reports and offer recognition rather than monetary rewards.
Commonly out-of-scope findings
Unless you can demonstrate a realistic security impact, the following are generally not eligible: missing security headers without a working exploit, reports generated solely by automated scanners, self-inflicted issues such as self-XSS, rate-limiting on non-sensitive endpoints, theoretical issues without a practical attack, and best-practice suggestions that do not present a vulnerability.
Relationship to the Terms of Service
This policy operates as a limited, good-faith exception to the acceptable-use restrictions in our Terms of Service for security research conducted within scope and in compliance with this policy. All other terms of the Agreement continue to apply.
Contact
Security reports: security@sequesign.com. This policy is published at sequesign.com/security.
Appendix: security.txt
The following is served at sequesign.com/.well-known/security.txt in accordance with RFC 9116:
Contact: mailto:security@sequesign.com
Expires: 2027-06-15T00:00:00.000Z
Policy: https://sequesign.com/security
Preferred-Languages: en
Canonical: https://sequesign.com/.well-known/security.txt