Last Updated: 24 December 2025
We welcome good-faith security research to help keep Signify secure. If you discover a vulnerability, report it responsibly so we can investigate and remediate it. By following this policy, you are authorized to test within scope and we will not pursue legal action under applicable computer misuse laws for activities performed in good faith.
1. Our Commitment
At Signify, safeguarding the security of our systems, services, and user data is central to our mission. We recognize the important role that security researchers and ethical hackers play in strengthening our defenses. If you identify a potential security vulnerability affecting the confidentiality, integrity, or availability of Signify’s services or platform, we encourage you to report it responsibly.
2. Confidentiality
For the protection of our users and partners, we treat all vulnerability reports as confidential. Please refrain from publicly disclosing or discussing any findings until they have been fully reviewed and addressed by our team.
3. Scope
In-scope
- signify.ink (main site)
- Public subdomains owned by Signify
- Public mobile & web widgets
- Public APIs
Out-of-scope
- Third-party services and integrations (unless you have explicit permission from the third party)
- Social engineering attacks against Signify staff or users
- Denial-of-service (DoS/DDoS) testing
- Physical security exploits
4. Prohibited Activities
While we encourage responsible research, the following activities are strictly prohibited because they may cause harm:
- Attempting to access data or accounts you are not authorized to view.
- Modifying, deleting, or exfiltrating data.
- Launching denial of service (DoS) or distributed denial of service (DDoS) attacks.
- Uploading, distributing, or linking to malware or other harmful code.
- Conducting phishing or other forms of social engineering against Signify staff, users, or partners.
- Exploiting physical security or facilities.
- Any activities that violate applicable laws or regulations.
5. Safe Harbor
We consider research conducted in accordance with this policy to be authorized under applicable laws (including CFAA, DMCA, IT Act, and Norwegian law). We will not initiate legal action for accidental, good-faith violations. This policy does not grant permission to act unlawfully and cannot bind third parties.
6. Reporting a Security Issue
If you discover a potential vulnerability, please report it responsibly by emailing us at info@signify.ink or via our Contact Us form: https://signify.ink/contact-us.
To help us assess and address your report effectively, please include:
- The affected product, feature, or URL.
- Steps to reproduce the issue (detailed and repeatable).
- Date and time the vulnerability was observed (with timezone if possible).
- Relevant technical details, logs, screenshots, or proof-of-concept code.
You may submit the report anonymously. If you provide contact details, our team may reach out for clarification or additional information.
7. Disclosure Timeline
Please allow us up to 90 days to address reported issues before public disclosure. Coordinated disclosure helps protect users while enabling fixes. If you believe a reported issue requires faster disclosure, indicate that in your report and our team will coordinate with you.
8. What Happens Next
Once your report is submitted, our team will review it and, if necessary, initiate an investigation. We aim to acknowledge valid submissions within five business days. If confirmed, we will remediate as quickly as possible and may notify regulators or law enforcement if required.
9. Privacy
Any personal information you provide will be handled in accordance with our Privacy Policy. You are not required to identify yourself; anonymous or pseudonymous submissions are welcome.
10. Recognition
While Signify does not offer financial rewards for vulnerability disclosures, we deeply value the efforts of the security community. With your consent, we may acknowledge your contribution in future communications or documentation.