Responsible Disclosure Policy

 

Digital Asset takes security very seriously for our customers, our products and our staff. If you are a Security Researcher and have discovered a vulnerability in our web site or products, we appreciate your help in disclosing this to us in a responsible manner.

Digital Asset will engage with security researchers when vulnerabilities are reported to us in accordance with this Responsible Disclosure Policy. We will validate, respond and fix vulnerabilities in accordance with our commitment to security and privacy. We won’t take legal action against those who discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy. Digital Asset reserves all of its legal rights in the event of any noncompliance.

 

Guidelines

 
Responsible Disclosure helps increase security for affected organizations and the community as a whole. Please follow the guidelines below:
- Don’t disclose a bug or vulnerability on public notice boards, mailing lists or other public forums, prior to Responsible Disclosure and an appropriate opportunity for it to be fixed.
- Do not utilize an exploit to view data without authorization, or compromise the confidentiality or availability.
- Do not perform an attack that would impact the reliability / availability of services. DDoS/Spam attacks are not allowed.
- Don’t use scanners or automated tools to find vulnerabilities. They can have unintended consequences or impact.
- Never attempt non-technical attacks, such as social engineering, phishing or physical attacked against our employees or infrastructure.
- Do not ask for compensation from an affected firm or through any “marketplace” for vulnerabilities.
 
While researching, we would like you to refrain from:
- Denial of Service (DOS) and Distributed Denial of Service (DDOS)
- Spamming
- Clickjacking
- Email bombing/Flooding/rate limiting
- Social Engineering or phishing of Digital Asset’s employees or contractors
- Any attack against Digital Asset’s physical property or data centers
- Scanning Digital Asset infrastructure or products using automated vulnerability scanners.
- Vulnerabilities in Third party SaaS applications and integrations we use
- Username/E-mail enumeration
- Missing HTTP security headers or issues related to HTTP headers
- Missing DMARC, SPF, DANE and CAA records records
- OAuth Misconfiguration
- Logout Cross-Site Request Forgery
- EXIF and Geolocation related vulnerabilities

 

How to Report an Issue

 

If you believe you have discovered a vulnerability in our software, please contact security@digitalasset.com. Please do not publicly disclose suspected vulnerabilities without prior consent from Digital Asset.

In reporting vulnerabilities, please send details of:

  • Suspected vulnerability.
  • Steps to enable us to reproduce the issue.
  • Your email address and secure mechanism to contact you.
  • Your name (and/or colleagues) if you would like to be recognized on this page, e.g., your twitter handle or website as it should be displayed.

You can use the PGP public key below to encrypt your email communication to us. Please include a secure contact mechanism for us to contact you.

 

Response and Recognition

 

We will investigate any details you provide and respond as soon as possible, usually one business day.

To acknowledge the first person who alerts us to previously unknown vulnerabilities, we will show our gratitude by placing their name in the Acknowledgements list below. We do not offer a bug bounty program and compensation requests will not be considered in compliance with this Responsible Disclosure Policy.

  

Acknowledgements

 

Digital Assets thanks the following individuals and organizations that have identified vulnerabilities in accordance with this Responsible Disclosure Policy:


Jay K Patel (Facebook: jaypatel34)

Sharan Panegav (securelayer7.net)

Vinoth Kumar (Twitter: @vinothpkumar)

Mitesh Patil (https://www.linkedin.com/in/mitesh-patil-26a15b137)

Nikhil Sahoo and Ipsita Subhadarshan Sahoo

Thrivikram Gujarathi (https://www.linkedin.com/in/thrivikram-gujarathi-penetration-tester-53074796)

Ben Longstaff (Twitter: @Ben_Longstaff)

Rafi Ahamed (LinkedIn: https://www.linkedin.com/in/rafi-ahamed-aa7110139/)

Gul Hameed (Twiter: https://twitter.com/GulHame45247021?s=03)

Shivang Trivedi (LinkedIn: https://www.linkedin.com/in/shivang-trivedi-a149b2190/)

 

Gourab Sadhukhan
(LinkedIn: https://www.linkedin.com/in/gourab-sadhukhan-71158216a)

 
Armanul Miraz

 

PGP Public Key

 

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGO9khIBEAC/D5WTgMJQGQso1JfN5RTq6YiCBwJ+L84YfKCPUo1yW7/RQHNZ
+5rYUQpGf1K5KCIhHtJeQyANzPy9KWnhDX6lIaoau6Dg9JK3SwNv20jDyCzZOjNW
Gfajy7xVTWXmYM/us8/A5kJN4pwEGIUL73n2uOtOzhpJ6TGLujNKB5EfGUO1L2Jr
v9BGx2ghv+dbdR3kPX6SYuj7U+tDvoaqJB8729kL14grpBqYy2YhF5eoLyvBaE9x
brDydUCu5t2Xpr7yI7xGOhUSn2ygoP3e9YSjOhowj5U5oFtTGxvqSf7xd9gkFaZY
uA58X3su0nxZ/9nbvb2RJPKtlUeOJS8pggXVSSGrHfWw3Bnu2G1pQNO+MYCS0Cu/
gMxQTnJ4itUNoFb3c9dSnB/VXWxsvlK3F+EdFg9HLNiStJVxPhPwgTo138ohTI1H
4eGdXpRPZSKNXGRRtWdbEseYBSDBzR0ulAn5TDXFDFjjJ5u7KJfdN7p9YaXWkXpB
+hvsiWJuvUDxTGlQE02PQjyN5vzj1NaU7CRRLvOYSstsOyTmuYg/xxvqA9XbPdti
g9AtaeYSjRzq7OBq79FhcmKDOfh7Zc07RRXHy2xTdvw+Iy5HEjk0fYFz+1Gtp78U
0iTv8tdqyh8dPvmuF7UbGWMJEMMD5d2goEw2ZnkqmLPFK5jq8qAshaQw9wARAQAB
tDdEaWdpdGFsIEFzc2V0IEhvbGRpbmdzLCBMTEMgPHNlY3VyaXR5QGRpZ2l0YWxh
c3NldC5jb20+iQJOBBMBCAA4FiEE8m2KCq32ZsyyjyqxZQ7DJTtqj/UFAmO9khIC
GwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQZQ7DJTtqj/WMbg/+K0Mte9y+
fCaWxFctfUbtd/JZBzpSCVMLN7PjZYZ50SwN/CqILUTFzzVLIx7uj/CyH/e1IV2O
RR7mWFTSADmkdrM45RBCvDs2UEIl3Rpsg/4iRpCZo01YQL9Y1XyUid8F3cQYmwPk
4YMY+tqqEhObAq0ngrGWiEWMUixbbRVqlPvRZDMeUNGdvmSOCs9LZLEnE9m4g2Kn
lNKddfLZ+sHaq2bfOiB+mZECX6wTusjqQWeJPRdflVWwMxZ7IkG9YoQHGlg8fTMd
3NqPE9OHOQiZhN4MbY6QZ70WexUNab8Pzf1Co4sSGhywVI3JibcqCNIbHW21+1py
OItJvdMxeSscOde2Fm5Dqmhf8UE+xgvPXa5xA5Yf40AqwuKt7boGsMf09Lf7zitX
5Zzl81saIPVC4OcM51t+sNDP6uJIynP5Dp1fxaIlb8gcQDqyWB/REr0vY1pRf/61
M8+jfUP3RJMbX/tUiCxEG+1uDSGTqj2Ac4TqiXfFKpg+TdEzNFj9VtrzTJT/tIgj
QlrKM9P9iB/JrNtqgeYrhaBZSpVKx4J7LNeIGdVJvRVzlW3tvCsTIT/lp/iJ1YjI
FCdb76leR/PgQNdk4wyU4JLXOYueEPAbyiBqQwgmOoT8GpY1PP4dsFfu7MoV0Cq7
//q+uwegRr5lLV6LwSBuFd1hqQ9ZdjAmmRiJATMEEAEIAB0WIQRJEajf6Xas36Bx
MNvoNywMHHNMUQUCY72TEAAKCRDoNywMHHNMUa21B/kBfEoA2g3Ku4x4wul8SwZV
YxddOd0Q3Fi3olC4G4bY58WVM9mcpuHxzPsjdf7Z/Msrp6sj8pv6lk4uR2DG1+Jr
1m1hzJFksnIo6mYDbgFd12UeISySrEYdQoEfNs4OyZ4FRwikdsDHr1jBeGjRe72P
wUzE8bcT4BVkf8A7avhr4CT5fqXPBlRZFZ8zh1Jn8kuKXvL3MbbKwfUMmMkGF3hi
q7Gfzse7DmcTlysxZLo6Hd/MkWWrf4pGSAkSXsM3iNADxG8tQx0iXQjY9Js9pqfV
3NnxgGp/K2LC2HmlvUHrT3ijvU2BmWcUKAAUicGB/XBJOpIzAJHZqHyQUYcTO5pO
uQINBGO9khIBEACj/g921STwurMUo6v91B/YYsTYXJhutcOl9bltMeYzDGDe9opZ
wy24LIAN6hMmfBv4t+J1FOCv1mZFoJyefZTjyFX9OcsxJ3rEuoWx11M3emsnloT1
M8MSwT8t8iVMOyEZBRfT/QDAWq2gKdu2blsuNE2vG1SnPQ4BHlrnrMhQKrO+Fu3E
XxptEggKfEdyPksqI+uvo6V2Ce7BbXluCE6q0HI+uIwbRgfJEDnvCbwuAjrnVydQ
aSoxMcSEJUiu9vbc9L7Ivoc0H2nP9Zt49PNrB/PWVPMuBkKY1qOmMhMyMSgYKBKI
A9Ar2DnifZytVL96VRSsgtSncrEPob/vVd80KDmhhetdeXCMEFNXsCElJIgjh8zG
JKxF7GwTiZQpqJri54zIbF4bebVeHnPGsZ+kDO6kX0kf90dEWcHQHGtKGQTeGTqJ
FLmZ0e/xccojoSopRluYl/tJtVbyhwSJhTP1Zgl8OIc3FmVGWuSuhG6XoO81jd2t
ZF2fim9oJalmE+T6t3dZvkbSTorsp7sq9QZ1+jr40zVk5ij6jvMdtt3WaTRnSurH
1FHmeuzqJCP5dnQCzrmUXLgiyt9iwbiZpP3S7eAY3pvSExbdhAm9fkU2tWljpvLk
uwSlIgxnnVutt/Ydx3m3VXp4qdb6GNxHcKYkMYLAg94Nkm84/TOVBjrFswARAQAB
iQI8BBgBCAAmAhsMFiEE8m2KCq32ZsyyjyqxZQ7DJTtqj/UFAmO9ksQFCQPCZ7IA
CgkQZQ7DJTtqj/XX8g//Tu+kWWCOsPMSBDqCv3MP/+CANG2zf7wtrZ+Zdc1G2uk6
14QmCq/ev/2CUvRXdt/Rn+JAuwBG0sn+AES23s47TlRt9xpX6xBR34ITCoaYzEIG
+vDRcOVNnizBXOwQfxbuL0h6gjGdyGozP+OuZKvoy8UzYriNeDBbNTixg+VmwKPV
RMwVG4t5ivwgeMb9lBHdsumQGbglzj9vj69j+1veBArvzdHYZ4rZAIq4F60t52Un
bi6Yyv0pFM73WOuNhh8MtItzNtGba6e6NVLu87ZQ/cg1G5LDMobJBuyPpNjRiwMM
/whvdRka2HVKaFrD5VOVy8sYxwpkgqve6okUipRjty2yIk0Wra7/uH3HZ7TdBDP5
yXn3bSkvPqmapDzBqlEZQyXD5yKR5IxnHKxCc+GhgdP+Cq/VAwZ1gz7B/dhOpUWu
UJcwzqJRKoBR8skT9SWCR90RilZWCq3C5ZbgA4kWFwmncLV755CRsX4NgxiAp+Wx
CJz7TPmxITtyH6q44qb0/0Md/zek/oYh8pdmMotJaFIW1rE7rks/g9O8I/+F9Xr7
mmgHOekUsL9Meqy0o5GI9SO1d5zL3Htn8DRYiby3RnzHCGMsazsDtuHBcM2DGKEw
xZn/DJDfx/5ISmYpLHZyMX3ARX8lrjwPLOTt2bPdAHJNyLyu7gIUQ89T6UemPtW5
Ag0EY72ShAEQALk4CuiDSVgRM36wzLzNee2RgDP+6cnr49Fgg4aoghXaR9zFbe/s
KtLZkfDqOS7eAF6lbc59W8NbDAJFilOssS7Uu3DIlzgDzrXpk81kJL5PaNRRcoEU
PKMqeEVD+MI/luJWGg4WPrSUQ6/7EeoK2Lf5WW37xD7sS+Ixlv3S0ih0y7PJId+u
15tasamhtQtbUi7rEz2//LjaTggDYQNhwCUQhjKMe39vefphFl7o4n/MiH2LUkJX
aoftmwOr2ld1irR0z3S2tc8wdtK3/TILs+H391wyQhz1jingTn6lUvQi+u02Xjsd
JyertiZzQ5cJc1+0et79Q/7Uk2Mzy5iXqLCI6UUIOBC8si0pI9JQDb2PwMJSnkz5
L6HO+lMLEERYMcemWYyjm4wKJOk0Ch47M0TZHgVm24vCfs730ulN/tamLb3/RJ6a
db9QlnxCmZguvDILKTQsy0jqZKAH3pNokP17Iyl0rGlF2OQNQ5Y0E1W0rPRtzpEA
NBMr+CT49ihFz6Bf9LCLdkEa2ssqpNZajeJPWt8xGdlqZECyESuQ4AhPzkR15KXq
xFqw4gH0r7lZfffY8a/iaovKr5T65mkHdF+VnOYKW+1+9hTLG9lB2lrFBLOp8KAF
p14ANzxndK/S4oWTCV3zHPi0hf3USn8fj4s5E10G3zC/H4uyJfSQNaeFABEBAAGJ
BHIEGAEIACYWIQTybYoKrfZmzLKPKrFlDsMlO2qP9QUCY72ShAIbAgUJA8JnAAJA
CRBlDsMlO2qP9cF0IAQZAQgAHRYhBMrcPR47XExflKZdeKe/Zaqtu8SUBQJjvZKE
AAoJEKe/Zaqtu8SUBtoQAKePNdzQLgDoOAv2L6vGqpw0Qx8PyErOV7EE31cGyLLE
okk6nSW+I19K2yltaszOpdeRJhLD1eTAhnzfMXz+flHnlSCWly6twTGCX9QJ/LLp
/X/AadlncOiA5a/VcBWde9CUNsWL6lSfrP68WwifCvZ3gz3pczfylzMlFf7gOQ9R
vdiJSLYp8OGag/Xvwoz3yAcHzRDJ2Z2GpLuFRiX82jB3s2lEwfFFchVTemb9jxmB
FAQsCEjOtSHZxipyc2tDTJxLxrLVzb7Z1pOx/9dkOP6w6QKcuvEG7qPIG2SIn4zW
NNLtosseARL44uNfDX03ReR7jx0eJoNdHM/hXFsaNdzxk1xyqazQvWODOZzAGVvM
9Of9oHg/I85mPWM95tBklRf9HA96Qa0Py14q8YCdqawrhOwMfF00wYO/nI4KpNCJ
yodqRdLCvtlAm5zeIUfkkL0dueoViBfkz/6w68mqnbm6gjoe5MrT5z6mbS/Faiu8
g0YX5oMb9/m6b5vgdqptaJFApB922wJL6MEwTnMk6i8O4WLERB5GFUTmIOexhoTE
rZM2g/pXqfZBFIHGl2ReNVtNliXkt1WF8KKMRQSjIc5vnJbi1frowvhZ0bJYe6v7
vdPtzdlZYxI8QODo90TQAEc6TrNFdgbblLIjwk74USwZnRt0R9uY5toVD3sT9vqT
MhMP/1dtdTOvjE+WvJAsmyuXvdyN/nk9m3wH3dZNJHEHH26HMpsVuQyVKh4AY/hv
WQuTyAHhZPiX5XdMtzNfOjQLz/COPmTbCRMXUMqdQjed5klrcQGnYBzTYQyl9CsM
gmqwpNOMW39Ko5bK1jW7FCNOLDNc7QuOjf9CbArhuLgM7QH1PYY2y5ksaY39OEKq
XOTQ5Ri4GdsUE1Zlz5RYNQ4KxenyKlmcD2u89XooZKxBET454rI7sDHeLjuQSJKo
fBex3TpwEWF6X7YPS0Xlfe98+4vJ/eK4aQXnQB8FUalqPKMDPAzlU2hwEMzJ58wf
upwqDnGXOz84VrSioWbqVtg2Gi3SIZ5VQq5jEqM5BZ97IbTie+lxdgzA6ZNN+d8O
ouqyoIVgu03aVz51pB5BMcOD455bHtTT9r3c9fNzSqhCq6LOOt4voTrM0I+42+Q4
hccTpylH8QTRDCV06mM13RM8O0p3MDcE7+KRcZ5N1xSQ9yCFzHWgg2JhyCWCuRcI
HNAqKd3UQDCSAftENf6frqw16maYagBq6GdtmdQ187+65tcdna2cjgaIXPnap984
xMfpcGegmPFz4kIG1hM0s2PGE+KFAMUXLPXCftEivx4VvxBudWDW6+SDA29x78nB
xK3rMxL8Kth3Z7DCGHTPBgu35e2aadK/ktdPPQWDKipoXqab
=4xHS
-----END PGP PUBLIC KEY BLOCK-----