Responsible Disclosure Policy


Digital Asset takes security very seriously for our customers, our products and our staff. If you are a Security Researcher and have discovered a vulnerability in our web site or products, we appreciate your help in disclosing this to us in a responsible manner.

Digital Asset will engage with security researchers when vulnerabilities are reported to us in accordance with this Responsible Disclosure Policy. We will validate, respond and fix vulnerabilities in accordance with our commitment to security and privacy. We won’t take legal action against those who discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy. Digital Asset reserves all of its legal rights in the event of any noncompliance.

 

 

Guidelines

 

Responsible Disclosure helps increase security for affected organizations and the community as a whole. Please follow the guidelines below:

Don’t disclose a bug or vulnerability on public notice boards, mailing lists or other public forums, prior to Responsible Disclosure and an appropriate opportunity for it to be fixed.

Do not utilize an exploit to view data without authorization, or compromise the confidentiality or availability.

Do not perform an attack that would impact the reliability / availability of services. DDoS/Spam attacks are not allowed.

Don’t use scanners or automated tools to find vulnerabilities. They can have unintended consequences or impact.

Never attempt non-technical attacks, such as social engineering, phishing or physical attacked against our employees or infrastructure.

Do not ask for compensation from an affected firm or through any “marketplace” for vulnerabilities.

 

 

How to Report an Issue

 

If you believe you have discovered a vulnerability in our software, please contact security@digitalasset.com. Please do not publicly disclose suspected vulnerabilities without prior consent from Digital Asset.

In reporting vulnerabilities, please send details of:

  • Suspected vulnerability.
  • Steps to enable us to reproduce the issue.
  • Your email address and secure mechanism to contact you.
  • Your name (and/or colleagues) if you would like to be recognized on this page, e.g., your twitter handle or website as it should be displayed.

 

You can use the PGP public key below to encrypt your email communication to us. Please include a secure contact mechanism for us to contact you.

 

 

Response and Recognition

 

We will investigate any details you provide and respond as soon as possible, usually one business day.

To acknowledge the first person who alerts us to previously unknown vulnerabilities, we will show our gratitude by placing their name in the Acknowledgements list below. We do not offer a bug bounty program and compensation requests will not be considered in compliance with this Responsible Disclosure Policy.

 
 
Acknowledgements.

Digital Assets thanks the following individuals and organizations that have identified vulnerabilities in accordance with this Responsible Disclosure Policy:


Jay K Patel (Facebook: jaypatel34)

Sharan Panegav (securelayer7.net)

Vinoth Kumar (Twitter: @vinothpkumar)

Mitesh Patil (https://www.linkedin.com/in/mitesh-patil-26a15b137)

Nikhil Sahoo and Ipsita Subhadarshan Sahoo

Thrivikram Gujarathi (https://www.linkedin.com/in/thrivikram-gujarathi-penetration-tester-53074796)

Ben Longstaff (Twitter: @Ben_Longstaff)

Rafi Ahamed (LinkedIn: https://www.linkedin.com/in/rafi-ahamed-aa7110139/)

Gul Hameed (Twiter: https://twitter.com/GulHame45247021?s=03)

Shivang Trivedi (LinkedIn: https://www.linkedin.com/in/shivang-trivedi-a149b2190/)

 

Gourab Sadhukhan
(LinkedIn: https://www.linkedin.com/in/gourab-sadhukhan-71158216a)

 
Armanul Miraz

 

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFzdsasBCADO+ZcfZQATP6ceTh4WfXiL2Z2tetvUZGfTaEs/UfBoJPmQ53bN
90MxudKhgB2mi8DuifYnHfLCvkxSgzfhj2IogV1S+Fa2x99Y819GausJoYfK9gwc
8YWKEkM81F15jA5UWJTsssKNxUddr/sxJIHIFfqGRQ0e6YeAcc5bOAogBE8UrmxE
uGfOt9/MvLpDewjDE+2lQOFi9RZuy7S8RMJLTiq2JWbO5yI50oFKeMQy/AJPmV7y
qAyYUIeZZxvrYeBWi5JDsZ2HOSJPqV7ttD2MvkyXcJCW/Xf8FcleAoWJU09RwVww
BhZSDz+9mipwZBHENILMuVyEygG5A+vc/YptABEBAAG0N0RpZ2l0YWwgQXNzZXQg
SG9sZGluZ3MsIExMQyA8c2VjdXJpdHlAZGlnaXRhbGFzc2V0LmNvbT6JAVQEEwEI
AD4WIQRJEajf6Xas36BxMNvoNywMHHNMUQUCXN2xqwIbAwUJA8JnAAULCQgHAgYV
CgkICwIEFgIDAQIeAQIXgAAKCRDoNywMHHNMUeVdCACAEwJ9f0DAKkhwQcg1RG4O
RiyWZ7h0nC4XSdmDUe5RhcrU8xUhiyYqKFVCRtYC0BILC/7bQCJcQUkvUH+hY5rK
MZM+jeBDLZToEQaZgytkyvRPzaKKx6LrvbGLoOyBgFGi9X9a5thXrAZaKN8Cgp2d
0OFDXMi+ep+x0hbmlxtPYhHXcdr2u/BwT1nsEVZn1uTefwcfom8aKw3uOmLQdE+2
5eM4GvLC7sJvrlbNLt0FCbty3hvdfINrIOEPj5yjguY4kKewzfZTG7ygccJQ4eyh
8HnPFcuBJCCGwOsFsccViX5wevijfGie9tyVeLGZdV2k6aElWDuRVRWKQtrfL0Xk
uQENBFzdsasBCAC5fr5pqxFm+AWPc7wiBSt7uKNdxiRJYydeoPqgmYZTvc8Um8pI
6JHtUrNxnx4WWKtj6iSPn5pSUrJbue4NAUsBF5O9LZ0fcQKb5diZLGHKtOZttCaj
Iryp1Rm961skmPmi3yYaHXq4GC/05Ra/bo3C+ZByv/W0JzntOxA3Pvc3c8Pw5sBm
63xu7iRrnJBtyFGD+MuAZxbN8dwYX0OcmwuSFGxf/wa+aB8b7Ut9RP76sbDvFaXx
Ef314k8AwxUvlv+ozdNWmEBxp1wR/Fra9i8EbC0V6EkCcModRhjbaNSPIbgkC0ka
2cgYp1UDgf9FrKvkuir70dg75qSrPRwvFghrABEBAAGJATwEGAEIACYWIQRJEajf
6Xas36BxMNvoNywMHHNMUQUCXN2xqwIbDAUJA8JnAAAKCRDoNywMHHNMUZYBCACW
wXLl3untEom4VwzTfvc4xwLThjnNDhewW8LfudYh3ZUbxnqH9jlmZjTALllr+66f
+TB1B8EGO5nTV5TxzE2s2rF9+S3Qj2hl1+PyVFjy1p93mUaWOz33sGlpXLOi5/p4
9ekSKOzyVYWvMm3FoDagqMCPvSMJ0AN8CJwrCeWyMcGcY+ohzajXKXpJ1vBdzaUU
LTZi2uRiN7cTZVAAOr1jO6Rcx4+EfmkjDW6ww/O/sWTDmsS1+Ge6zp9qZCspYX8d
7vBpuEUwEYpxVvxDR/TBztlfbQx4Pw+n1gpbXBO0BwJC9L67MS6yMUmuhSrw8UTI
JKX1t3MFLLpYQbaNwBgA
=5Xfu
-----END PGP PUBLIC KEY BLOCK-----