Responsible Disclosure Policy

About Signzy:

Signzy is the market-leading digital banking infrastructure provider that is redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses using digital mediums. Signzy’s award-winning GO platform delivers seamless, end-to-end, multi-product user journeys from “lead to activation” without writing a single line of code. It provides access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Scope:

The scope of this policy is explicitly limited to the following domain:

  • signzy.com

Guidelines for Reporting Vulnerabilities:

We encourage the reporting of potential security vulnerabilities to help us ensure the safety and security of our digital assets. Please adhere to the following guidelines when submitting your report:

Act in Good Faith:

  • Ensure that your findings are reported in a manner that safeguards the confidentiality, integrity, and availability of our systems and data.
  • Do not exploit any vulnerability beyond the extent required to demonstrate it.

Provide Detailed Reports:

  • Clearly describe the vulnerability and its potential impact.
  • PProvide detailed steps to reproduce the issue.
  • Include any relevant screenshots, videos, or logs.

Allow Us Time to Respond:

Give us a reasonable amount of time to resolve the issue before publicly disclosing it.
We typically aim to acknowledge your report within 5 business days and provide a resolution within 90 days.

Avoid the Following:

  • Do not engage in any activities that could harm our systems, data, or users.
  • Do not perform any actions that could disrupt our services, such as denial of service attacks.
  • Do not access, modify, or delete any data that does not belong to you.

In-Scope Vulnerabilities:

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Server-side request forgery (SSRF)
  • Remote code execution (RCE)
  • SQL injection
  • Authentication or authorization flaws
  • Security misconfigurations
  • Sensitive data exposure
  • Privilege escalation

Out-of-Scope Vulnerabilities:

  • Reports from automated tools or scanners without a proof of concept
  • Denial of Service (DoS) attacks
  • Physical security issues
  • Social engineering attacks
  • Issues that require unlikely user interaction
  • Duplicate vulnerabilities reported by internal/external security teams

Our Commitment:

  • We will work with you to understand and validate your report.
  • We will address the vulnerability in a timely manner.
  • We will not take legal action against researchers who adhere to this policy and act in good faith.

Acknowledgments and Rewards:

While we do not have a formal bug bounty program, we appreciate the efforts of security researchers and may acknowledge their contributions on our website. In some cases, we may offer swags based on the severity and impact of the reported issue.

Contact Information:

To report a vulnerability, please email our security team at infosec@signzy.com.

Changes to This Policy:

Signzy reserves the right to update this policy at any time. Changes will be communicated via our website.