SigParser Vulnerability Disclosure Program

Security matters and we want to know about any issues you find.


Last modified 1/31/2020

Keeping user information safe and secure is a top priority and a core company value for us at SigParser. We welcome the contribution of our users and external security researchers in helping us become more secure. No technology is perfect, and SigParser believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you’ve found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

You can email security@sigparser.com if you identify an vulnerabilties or security isssues or have security questions.

Disclosure Policy

  • Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. Email security@sigparser.com
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

For Testers

DO NOT TEST THESE THINGS

  • Production resources (sigparser.com, app.sigparser.com, ipaas.sigparser.com) - Do not create accounts on production. It really breaks our internal metrics.
  • Chat Widget on website
  • Submitting demo requests
  • Don’t run brute force penetration tests. This will likely cause you to get blocked by host.
  • The S3 buckets for static site content being public isn’t a bug (these have to be public and no sensitive data is kept in them)
  • Denial of service
  • Spamming
  • Social engineering (including phishing) of SigParser staff or contractors
  • Any physical attempts against SigParser property or data centers

We point these out because people often don’t read our full policy and test things they shouldn’t.

You must notify us that you’re doing any security research before starting and tell us what username you’re using. Email security@sigparser.com if you’re doing testing. Otherwise AWS will start locking you out and can cause all sorts of alarms on our end to be triggered.

Scope for Testing

When testing only test on the beta URLs.

  • beta.sigparser.com
  • beta1.sigparser.com
  • api-beta.sigparser.com
  • beta-ipaas.sigparser.com

Do not test on any of the production URLs.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep SigParser and our users safe!