Legal

Vulnerability Disclosure Policy

Last updated: June 15, 2026 ยท Effective date: June 15, 2026

Sequesign builds cryptographic receipt, witness, and audit-trail infrastructure, and we take the security of the Services seriously. We welcome reports from security researchers and will work with you in good faith to investigate and resolve valid issues.

Safe harbor

If you make a good-faith effort to comply with this policy during your research, we will consider your activity authorized, we will not pursue or support legal action against you for that research, and we will treat it as exempt from the prohibitions in our Terms of Service that would otherwise apply to probing the Services. If a third party brings a claim against you for activity conducted in compliance with this policy, we will make our authorization known. This safe harbor does not apply to activity that violates the guidelines below or that harms our users or their data.

Scope

The following are in scope:

The following are out of scope:

How to report

Send reports to security@sequesign.com. Please include enough detail to reproduce the issue, including the affected endpoint or component, a description of the impact, and the steps, requests, or proof-of-concept needed to confirm it. If you are able to encrypt your report, you may request our current public key at the same address.

Guidelines for researchers

To stay within this policy, please:

Our commitments

When you report in good faith under this policy, we will acknowledge your report within five business days, work to validate and remediate confirmed issues on a timeline appropriate to severity, keep you reasonably informed of progress, and, if you wish, credit you once the issue is resolved. We aim to support coordinated disclosure and will agree a disclosure timeline with you, typically up to 90 days, that may be adjusted based on severity and remediation complexity.

Rewards

Sequesign does not operate a paid bug bounty program at this time. We are grateful for responsible reports and offer recognition rather than monetary rewards.

Commonly out-of-scope findings

Unless you can demonstrate a realistic security impact, the following are generally not eligible: missing security headers without a working exploit, reports generated solely by automated scanners, self-inflicted issues such as self-XSS, rate-limiting on non-sensitive endpoints, theoretical issues without a practical attack, and best-practice suggestions that do not present a vulnerability.

Relationship to the Terms of Service

This policy operates as a limited, good-faith exception to the acceptable-use restrictions in our Terms of Service for security research conducted within scope and in compliance with this policy. All other terms of the Agreement continue to apply.

Contact

Security reports: security@sequesign.com. This policy is published at sequesign.com/security.

Appendix: security.txt

The following is served at sequesign.com/.well-known/security.txt in accordance with RFC 9116:

Contact: mailto:security@sequesign.com

Expires: 2027-06-15T00:00:00.000Z

Policy: https://sequesign.com/security

Preferred-Languages: en

Canonical: https://sequesign.com/.well-known/security.txt