VaseSign welcomes coordinated disclosure of suspected security vulnerabilities from researchers and customers. Reports help protect everyone using the platform — please avoid disruptive testing that impacts other tenants' availability or data.
Where to report
Email security@vasesign.co.za with a descriptive subject line. Include reproduction steps, affected endpoints or workspaces (without exposing live customer data), and optional proof-of-concept artefacts as attachments or encrypted links if requested.
Scope and expectations
- Focus on VaseSign-controlled applications and documented APIs — third-party bug bounty scopes belong to those vendors.
- Do not access, modify, or destroy data belonging to other customers; use dedicated test tenants where available.
- Avoid denial-of-service attacks, social engineering of VaseSign staff or customers, or physical intrusion attempts.
- Allow reasonable time for triage and remediation before public disclosure — coordinated publication benefits all users.
Safe harbour for good-faith research
When research is conducted in good faith within this scope, VaseSign will not pursue civil action or law-enforcement referral solely for accidental violations of acceptable-use restrictions discovered during that research — provided you stop testing immediately upon request and do not exfiltrate more data than necessary to demonstrate an issue. This commitment does not extend to malicious conduct, extortion, or violations of applicable law.
Response handling
Acknowledgement timing depends on volume and severity; critical active exploitation receives priority triage. Credit in advisories is offered when mutually agreeable. Monetary rewards are not guaranteed through this public statement — commercial bug bounty programmes, if any, are communicated separately when active.
Operational incidents rather than product vulnerabilities should follow Incident response.