Security at Sigill
Sigill provides cryptographic evidence infrastructure for digital records, timestamps, seals, and verification workflows. Security is central to what we build. We welcome responsible security research and vulnerability reports affecting Sigill services.
Reporting a vulnerability
If you believe you have found a security vulnerability in Sigill, please report it to contact@sigill.ai.
Please include as much detail as possible:
- A clear description of the issue
- Steps to reproduce
- The affected endpoint, feature, or asset
- Potential impact
- Screenshots, logs, or proof-of-concept details where relevant
- Your contact details, if you want us to respond or credit you
We aim to acknowledge reports promptly and will work with you to understand, reproduce, and resolve valid issues.
Scope
The following assets are currently in scope:
https://sigill.aiand subdomains operated by Sigill- Public Sigill APIs
- Public verification and lookup functionality
- Authentication, tenant isolation, access control, and evidence handling flows
Third-party platforms and identity providers are out of scope unless the vulnerability is caused by Sigill's own implementation or configuration.
If you are unsure whether something is in scope, contact us before testing.
Rules of engagement
Please act in good faith and avoid actions that could harm Sigill, our users, or third parties. Do not:
- Access, modify, delete, or exfiltrate data that is not yours
- Perform denial-of-service or resource exhaustion testing
- Use automated high-volume scanning
- Attempt social engineering, phishing, or physical attacks
- Test third-party services not operated by Sigill
- Publicly disclose the issue before we have had a reasonable opportunity to investigate and fix it
If you accidentally access data that is not yours, stop immediately and report what happened.
Safe harbor
We will not pursue legal action against security researchers who act in good faith, follow this policy, avoid privacy violations and service disruption, and report vulnerabilities responsibly.
This safe harbor applies only to research against Sigill-owned systems and only when the activity complies with this policy.
Rewards
Sigill is an early-stage startup. We do not currently operate a formal bug bounty program with guaranteed payouts. However, we may offer discretionary rewards for serious, responsibly disclosed vulnerabilities, especially issues involving:
- Authentication bypass
- Tenant isolation failure
- Unauthorized access to evidence records
- Ability to forge, alter, or misrepresent verification results
- Cryptographic implementation flaws
- Exposure of secrets, private keys, tokens, or sensitive customer data
- Remote code execution or significant infrastructure compromise
For eligible high-impact findings, we may offer discretionary rewards starting from €100. Critical findings may receive higher rewards at founder discretion.
Reward decisions are based on severity, impact, exploitability, report quality, and whether the issue was already known to us.
Low-impact findings, automated scanner output, missing headers without practical impact, SPF/DMARC policy observations, rate-limit complaints without demonstrated security impact, and theoretical issues are normally not eligible for rewards.
Examples of high-impact issues for Sigill
- A user can access another tenant's evidence records
- A verification result can be forged or manipulated
- A sealed document can be changed while still appearing valid
- Timestamp evidence can be misrepresented
- Private API keys, signing material, or infrastructure credentials are exposed
- Public lookup leaks information that should not be public
- Authentication or organisation membership checks can be bypassed
Disclosure
Please give us a reasonable opportunity to investigate and remediate before publishing details. We are happy to provide credit for valid reports if you want public recognition.
Contact
Security reports and general contact: contact@sigill.ai