eSigKit

Security disclosure policy

Last updated 2026-05-03

We take the security of customer data seriously and welcome reports from independent researchers. This page is also linked from a RFC 9116 security.txt file at the well-known path.

1. How to report

Email security@esigkit.com with a description of the issue, steps to reproduce, and any proof-of-concept material. PGP-encrypted email is welcome (key fingerprint published at the well-known security.txt). Please use a fresh email thread per finding so we can track it cleanly.

2. What to include

  • A clear description of the vulnerability and its potential impact.
  • The exact endpoint, parameter, or workflow where it occurs.
  • Reproduction steps — proof-of-concept code or HTTP requests.
  • Whether you accessed any data you were not authorized to view.
  • Your preferred contact for follow-up and credit.

3. What you can expect from us

  • Acknowledgement within 2 business days.
  • Triage within 5 business days — we’ll confirm whether the issue is in scope and reproducible.
  • Patch timeline communicated up front. Critical issues target a fix within 7 days; high-severity within 30 days.
  • Coordinated disclosure. We’ll work with you on public disclosure timing once the fix has shipped to all customers. Default is 90 days from initial report or sooner if mutually agreed.
  • Credit. If you wish, we’ll list you in our security acknowledgements (this page) once the issue is fixed.

4. Scope

The following are in scope for this policy:

  • app.esigkit.com, app-dev.esigkit.com (dashboard)
  • api.esigkit.com, api-dev.esigkit.com (API)
  • auth.esigkit.com, auth-dev.esigkit.com (Cognito custom domain)
  • cdn.esigkit.com, cdn-dev.esigkit.com (signature delivery)
  • The eSigKit Chrome extension (when published)

Out of scope:

  • Findings from automated scanners that lack a working proof-of-concept against our endpoints.
  • Reports of missing security headers without a demonstrable impact.
  • Volumetric DoS / DDoS testing — we do not consent to load testing of production. Please coordinate in advance.
  • Social-engineering of staff, physical attacks, or attacks against third-party providers (AWS, Stripe, Cloudflare, Google) — report those to the provider.

5. Safe-harbor commitment

We will not pursue legal action against, or report to law enforcement, any researcher who:

  • Acts in good faith to report a vulnerability.
  • Avoids privacy violations, destruction of data, and interruption of service. Use test data; do not access more customer data than is required to demonstrate the issue.
  • Gives us a reasonable opportunity to fix before public disclosure.
  • Does not exploit the issue for personal gain.

6. Bug bounty

We do not currently run a paid bounty program. We’re tracking community interest and will revisit once Phase 7 launch traffic materializes. In the meantime, we offer public credit and swag for valid findings.

7. Acknowledgements

Researchers who have reported confirmed issues will be credited here, with their permission. List is currently empty (the product has not yet launched publicly).