Vulnerability Disclosure Policy

At GlobalSign.in, we take security and privacy issues very seriously. Our team is busy improving the systems and processes. This helps to protect the our client data and also ensures the continuity of our services. However, this does not mean that our systems are immune to problems. If problems are detected, we would like your help. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our end-consumers.

Security Researchers should…

  • Respect the rules. Operate within the rules set forth by the this policy, or speak up if in strong disagreement with the rules.
  • Respect privacy. Make a good faith effort not to access or destroy another user’s data.
  • Be patient. Make a good faith effort to clarify and support their reports upon request.
  • Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities. Never willfully exploit others without their permission.

Program Rules:

  • Notify us as soon as you discover a potential security vulnerability.
  • Do not share details of the suspected vulnerability publicly or with any third party.
  • Only use or access accounts and information that belong to you.
  • Do not destroy or modify data that is not yours.
  • Do not degrade the performance of GlobalSign.in products and services or our users.
  • Do not perform social engineering, physical, or denial of service attacks on GlobalSign.in personnel, locations, or assets.
  • Do not try to repeatedly access the system and do not share the access obtained with others.

Scope:

This program applies to GlobalSign.in products, services, and systems. Always be careful to verify whose assets you are testing while performing research. Assets in scope for this program are:

*.globalsignin.com

Out of Scope Vulnerabilities:

  • Findings from applications or systems not listed in the ‘In Scope’ section.
  • Attacks requiring MITM or physical access to a user’s device.
  • Clickjacking on pages with no sensitive actions.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • Rate limiting or bruteforce issues on non-authentication endpoints.
  • Tabnabbing.
  • Anything not permitted by applicable law

How to Report a Vulnerability

If you have detected a vulnerability, then please send your reports with POCs and steps to reproduce on secops@globalsignin.com

What we would like to see from you

To help us triage and remediate potential findings, a good vulnerability report should:

  • Describe the vulnerability, precisely where it was discovered, and the real-world impact.
  • Offer a detailed description of the steps needed to reproduce the vulnerability (POCs, screenshots, and videos are helpful).
  • Please include one vulnerability per report (unless in an attack chain).
  • Don’t report automated scanner results without proof of exploitability.

NOTE: Vulnerabilities reported without any POC (Proof of Concept) and Steps to Reproduce will not be considered for this reward program.

What you can expect from us

When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.

  • Within 7 business day, we will acknowledge that your report has been received.
  • To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about the remediation process, including on issues or challenges that may delay resolution.
  • When you follow the guidelines that are laid out above, we will not pursue or support any legal action related to your research.
  • If you are the first to report a “qualifying vulnerability” in accordance with this Policy, we would like to recognize your contribution on our Security Researcher Hall of Fame and/or with a reward.