VaseSignby Stars in a Vase Digital Trust
FeaturesIndustriesAI reviewEvidenceFeature ShopPartnersTrust CenterConnect
✦ Sign For Free. Forever.
Sign inStart signing

Trust Center

Vulnerability disclosure

Coordinated disclosure expectations, reporting channel, and safe-harbour practices for good-faith security research.

  • Overview
  • Legal alignment
  • Signature levels
  • Evidence pack
  • Security
  • Privacy & POPIA
  • Subprocessors
  • Data residency
  • Data retention
  • Incident response
  • Availability
  • Enterprise assurance
  • Vulnerability disclosure
  • Contact
VaseSignby Stars in a Vase Digital Trust

VaseSign by Stars in a Vase Digital Trust helps teams prepare, review, send, sign, verify and evidence important documents with ECTA-aware workflows, POPIA-aligned controls where configured, and optional higher-assurance paths through configured providers.

Product

  • Features
  • AI document review
  • Evidence-backed signing
  • Feature Shop
  • Partner Network
  • Marketplace
  • Developers
  • Trust Center

Industries

  • Legal & conveyancing
  • Property & rentals
  • HR & onboarding
  • Banking & insurance
  • Government & SMEs

Company

  • About & trust
  • Contact
  • OEM partners
  • White label
  • Partner portal
  • Careers

Legal

  • Trust Center
  • Privacy Policy
  • Terms of Service
  • POPIA (Trust)
  • ECTA alignment

2026 Stars in a Vase Digital Trust. All rights reserved. | ✦ Sign For Free. Forever.

Built in South Africa|ECTA-aware · POPIA-aligned where configured

VaseSign welcomes coordinated disclosure of suspected security vulnerabilities from researchers and customers. Reports help protect everyone using the platform — please avoid disruptive testing that impacts other tenants' availability or data.

Where to report

Email security@vasesign.co.za with a descriptive subject line. Include reproduction steps, affected endpoints or workspaces (without exposing live customer data), and optional proof-of-concept artefacts as attachments or encrypted links if requested.

Scope and expectations

  • Focus on VaseSign-controlled applications and documented APIs — third-party bug bounty scopes belong to those vendors.
  • Do not access, modify, or destroy data belonging to other customers; use dedicated test tenants where available.
  • Avoid denial-of-service attacks, social engineering of VaseSign staff or customers, or physical intrusion attempts.
  • Allow reasonable time for triage and remediation before public disclosure — coordinated publication benefits all users.

Safe harbour for good-faith research

When research is conducted in good faith within this scope, VaseSign will not pursue civil action or law-enforcement referral solely for accidental violations of acceptable-use restrictions discovered during that research — provided you stop testing immediately upon request and do not exfiltrate more data than necessary to demonstrate an issue. This commitment does not extend to malicious conduct, extortion, or violations of applicable law.

Response handling

Acknowledgement timing depends on volume and severity; critical active exploitation receives priority triage. Credit in advisories is offered when mutually agreeable. Monetary rewards are not guaranteed through this public statement — commercial bug bounty programmes, if any, are communicated separately when active.

Operational incidents rather than product vulnerabilities should follow Incident response.