Responsible Disclosure Policy
Digital Asset takes security very seriously for our customers, our products, and our staff. If you are a Security Researcher and have discovered a vulnerability in our website or products, we appreciate your help in disclosing this to us in a responsible manner.
Digital Asset will engage with security researchers when vulnerabilities are reported to us in accordance with this Responsible Disclosure Policy. We will validate, respond, and fix vulnerabilities in accordance with our commitment to security and privacy. We won’t take legal action against those who discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy. Digital Asset reserves all of its legal rights in the event of any noncompliance.
Guidelines
Responsible Disclosure helps increase security for affected organizations and the community as a whole. Please follow the guidelines below:
- Don’t disclose a bug or vulnerability on public notice boards, mailing lists, or other public forums, prior to Responsible Disclosure and an appropriate opportunity for it to be fixed.
- Do not utilize an exploit to view data without authorization, or compromise the confidentiality or availability.
- Do not perform an attack that would impact the reliability/availability of services. DDoS/Spam attacks are not allowed.
- Don’t use scanners or automated tools to find vulnerabilities. They can have unintended consequences or impact.
- Never attempt non-technical attacks, such as social engineering, phishing, or physical attacks against our employees or infrastructure.
- Do not ask for compensation from an affected firm or through any “marketplace” for vulnerabilities.
While researching, we would like you to refrain from:
- Denial of Service (DOS) and Distributed Denial of Service (DDOS)
- Spamming
- Clickjacking
- Email bombing/Flooding/rate limiting
- Social Engineering or phishing of Digital Asset’s employees or contractors
- Any attack against Digital Asset’s physical property or data centers
- Scanning Digital Asset infrastructure or products using automated vulnerability scanners
- Vulnerabilities in Third party SaaS applications and integrations we use
- Username/E-mail enumeration
- Missing HTTP security headers or issues related to HTTP headers
- Missing DMARC, SPF, DANE and CAA records
- OAuth Misconfiguration
- Logout Cross-Site Request Forgery
- EXIF and Geolocation related vulnerabilities
How to Report an Issue
If you believe you have discovered a vulnerability in our software, please contact security@digitalasset.com. Please do not publicly disclose suspected vulnerabilities without prior consent from Digital Asset.
In reporting vulnerabilities, please send details of:
- Suspected vulnerability.
- Steps to enable us to reproduce the issue.
- Your email address and a secure mechanism to contact you.
- Your name (and/or colleagues) if you would like to be recognized on this page, e.g., your Twitter handle or website as it should be displayed.
You can use the PGP public key below to encrypt your email communication to us. Please include a secure contact mechanism for us to contact you.
Response and Recognition
We will investigate any details you provide and respond as soon as possible, usually one business day.
To acknowledge the first person who alerts us to previously unknown vulnerabilities, we will show our gratitude by placing their name in the Acknowledgements list below. We do not offer a bug bounty program and compensation requests will not be considered in compliance with this Responsible Disclosure Policy.
Acknowledgements
Digital Asset thanks the following individuals and organizations that have identified vulnerabilities in accordance with this Responsible Disclosure Policy:
- Jay K Patel (Facebook: jaypatel34)
- Sharan Panegav (securelayer7.net)
- Vinoth Kumar (Twitter: @vinothpkumar)
- Mitesh Patil (LinkedIn)
- Nikhil Sahoo and Ipsita Subhadarshan Sahoo
- Thrivikram Gujarathi (LinkedIn)
- Ben Longstaff (Twitter: @Ben_Longstaff)
- Rafi Ahamed (LinkedIn: Rafi Ahamed)
- Gul Hameed (Twitter: @GulHame45247021)
- Shivang Trivedi (LinkedIn: Shivang Trivedi)
- Gourab Sadhukhan (LinkedIn)
- Armanul Miraz (Twitter: @mirazdevox)
PGP Public Key
mQINBGO9khIBEAC/D5WTgMJQGQso1JfN5RTq6YiCBwJ+L84YfKCPUo1yW7/RQHNZ
+5rYUQpGf1K5KCIhHtJeQyANzPy9KWnhDX6lIaoau6Dg9JK3SwNv20jDyCzZOjNW
Gfajy7xVTWXmYM/us8/A5kJN4pwEGIUL73n2uOtOzhpJ6TGLujNKB5EfGUO1L2Jr
v9BGx2ghv+dbdR3kPX6SYuj7U+tDvoaqJB8729kL14grpBqYy2YhF5eoLyvBaE9x
brDydUCu5t2Xpr7yI7xGOhUSn2ygoP3e9YSjOhowj5U5oFtTGxvqSf7xd9gkFaZY
uA58X3su0nxZ/9nbvb2RJPKtlUeOJS8pggXVSSGrHfWw3Bnu2G1pQNO+MYCS0Cu/
gMxQTnJ4itUNoFb3c9dSnB/VXWxsvlK3F+EdFg9HLNiStJVxPhPwgTo138ohTI1H
4eGdXpRPZSKNXGRRtWdbEseYBSDBzR0ulAn5TDXFDFjjJ5u7KJfdN7p9YaXWkXpB
+hvsiWJuvUDxTGlQE02PQjyN5vzj1NaU7CRRLvOYSstsOyTmuYg/xxvqA9XbPdti
g9AtaeYSjRzq7OBq79FhcmKDOfh7Zc07RRXHy2xTdvw+Iy5HEjk0fYFz+1Gtp78U
0iTv8tdqyh8dPvmuF7UbGWMJEMMD5d2goEw2ZnkqmLPFK5jq8qAshaQw9wARAQAB
tDdEaWdpdGFsIEFzc2V0IEhvbGRpbmdzLCBMTEMgPHNlY3VyaXR5QGRpZ2l0YWxh
c3NldC5jb20+iQJUBBMBCAA+AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE
8m2KCq32ZsyyjyqxZQ7DJTtqj/UFAmhmqQUFCQhrffMACgkQZQ7DJTtqj/UDXA/9
Fq928ZZMihdWvu6J5q0hwsTJObGBDpi4QRjd6sU22qw+1nm4IKukVJQJ+YMY0d+2
vbcBpyJjNjEOsSVf6LBimbAfo22NW3Rb+JtlILvN7Gc7zRPVMhZ3X5R0OOfKGB/3
9IzskjfrI1h9UvRqslwf3Du+5PO5uAkfyn+qsWp/kslE62YW/IoycUbegPJkQiZv
+PFQUdvc9zEeE2NEMs0V65Z6CcfTinT0me5qHzCk7Y4MQVBPhw1mOKYLvFA+FRJ+
yIM1PAQD6l5CsmyEDkmA1jI7c+isCB7kTWxdrKuTE2T8sdJ6N+Uw1qgF5GQLjXQd
J88XtvIqoa/7aT7u7AFLfM1cN2IUhJ45riFEqAP8AlFE3F+rs9C2urVPFywu8SoZ
MmEox8qKsyXpkHstZV4CKseonx5D+dp0bJcHjW375X2GRqia2i9p8YKcsU2mk50/
uMVzA+q03CbxGmWhbDjaw5qvreDW/coUKsx0MAFAS8s55PNtc6DZXdefQ4rIVobi
7AIL0eicOax20k9KNg8JFfchkCS4QubF6F8IrfCSfkcC8LTyVnCjE2/6U6ghPQbb
TPQnFTawxqAOHQiNm1LEKwcP8stecYXJuSKh2esJQK67oLoMI0zx3tw34HIHuwKG
fjcOx01zwfm4igE+kZakiMuw3oiH6Oa7qybymPGqQVaJATMEEAEIAB0WIQRJEajf
6Xas36BxMNvoNywMHHNMUQUCY72TEAAKCRDoNywMHHNMUa21B/kBfEoA2g3Ku4x4
wul8SwZVYxddOd0Q3Fi3olC4G4bY58WVM9mcpuHxzPsjdf7Z/Msrp6sj8pv6lk4u
R2DG1+Jr1m1hzJFksnIo6mYDbgFd12UeISySrEYdQoEfNs4OyZ4FRwikdsDHr1jB
eGjRe72PwUzE8bcT4BVkf8A7avhr4CT5fqXPBlRZFZ8zh1Jn8kuKXvL3MbbKwfUM
mMkGF3hiq7Gfzse7DmcTlysxZLo6Hd/MkWWrf4pGSAkSXsM3iNADxG8tQx0iXQjY
9Js9pqfV3NnxgGp/K2LC2HmlvUHrT3ijvU2BmWcUKAAUicGB/XBJOpIzAJHZqHyQ
UYcTO5pOiQJOBBMBCAA4FiEE8m2KCq32ZsyyjyqxZQ7DJTtqj/UFAmO9khICGwMF
CwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQZQ7DJTtqj/WMbg/+K0Mte9y+fCaW
xFctfUbtd/JZBzpSCVMLN7PjZYZ50SwN/CqILUTFzzVLIx7uj/CyH/e1IV2ORR7m
WFTSADmkdrM45RBCvDs2UEIl3Rpsg/4iRpCZo01YQL9Y1XyUid8F3cQYmwPk4YMY
+tqqEhObAq0ngrGWiEWMUixbbRVqlPvRZDMeUNGdvmSOCs9LZLEnE9m4g2KnlNKd
dfLZ+sHaq2bfOiB+mZECX6wTusjqQWeJPRdflVWwMxZ7IkG9YoQHGlg8fTMd3NqP
E9OHOQiZhN4MbY6QZ70WexUNab8Pzf1Co4sSGhywVI3JibcqCNIbHW21+1pyOItJ
vdMxeSscOde2Fm5Dqmhf8UE+xgvPXa5xA5Yf40AqwuKt7boGsMf09Lf7zitX5Zzl
81saIPVC4OcM51t+sNDP6uJIynP5Dp1fxaIlb8gcQDqyWB/REr0vY1pRf/61M8+j
fUP3RJMbX/tUiCxEG+1uDSGTqj2Ac4TqiXfFKpg+TdEzNFj9VtrzTJT/tIgjQlrK
M9P9iB/JrNtqgeYrhaBZSpVKx4J7LNeIGdVJvRVzlW3tvCsTIT/lp/iJ1YjIFCdb
76leR/PgQNdk4wyU4JLXOYueEPAbyiBqQwgmOoT8GpY1PP4dsFfu7MoV0Cq7//q+
uwegRr5lLV6LwSBuFd1hqQ9ZdjAmmRi5Ag0EY72SEgEQAKP+D3bVJPC6sxSjq/3U
H9hixNhcmG61w6X1uW0x5jMMYN72ilnDLbgsgA3qEyZ8G/i34nUU4K/WZkWgnJ59
lOPIVf05yzEnesS6hbHXUzd6ayeWhPUzwxLBPy3yJUw7IRkFF9P9AMBaraAp27Zu
Wy40Ta8bVKc9DgEeWuesyFAqs74W7cRfGm0SCAp8R3I+Syoj66+jpXYJ7sFteW4I
TqrQcj64jBtGB8kQOe8JvC4COudXJ1BpKjExxIQlSK729tz0vsi+hzQfac/1m3j0
82sH89ZU8y4GQpjWo6YyEzIxKBgoEogD0CvYOeJ9nK1Uv3pVFKyC1KdysQ+hv+9V
3zQoOaGF6115cIwQU1ewISUkiCOHzMYkrEXsbBOJlCmomuLnjMhsXht5tV4ec8ax
n6QM7qRfSR/3R0RZwdAca0oZBN4ZOokUuZnR7/FxyiOhKilGW5iX+0m1VvKHBImF
M/VmCXw4hzcWZUZa5K6Ebpeg7zWN3a1kXZ+Kb2glqWYT5Pq3d1m+RtJOiuynuyr1
BnX6OvjTNWTmKPqO8x223dZpNGdK6sfUUeZ67OokI/l2dALOuZRcuCLK32LBuJmk
/dLt4Bjem9ITFt2ECb1+RTa1aWOm8uS7BKUiDGedW6239h3HebdVenip1voY3Edw
piQxgsCD3g2Sbzj9M5UGOsWzABEBAAGJAjwEGAEIACYCGwwWIQTybYoKrfZmzLKP
KrFlDsMlO2qP9QUCaGao4wUJCGt90QAKCRBlDsMlO2qP9fHvD/4yoLH6Z/P5cWd0
+cY20eavE6pML+iW1Y0lPIgemJbQWZ7QpTsLfroLX9E4kt/Z5kQRNYmBAGOPFFjC
3d/sgg4LcNbuVEUb9wi7/RZafLyNcgUpvTbvcJRBXvHbPPhNr0UFx23954kDS883
VOPGTlHbH55vdzUNiA5N0eb6vfPITzrcoFXUtfvuolR2NR3q4veHGS6/5nzFa2mj
oIjOQspVE01gAImHcVPkBPeBlw4D5j75HFGI7WUmUN1iWfpfuRnMoCNp1R2l2wDL
IgTI/akKrroOYwP6uBo5H7J/CSW31ox9ZLgVcl2EAJbfDTY+AEvHW2Llbg17zO2g
SLDtyM2QmvnSjmUW4s+pxMkXGaemTvI7nPpDPJkUM15TQuwoFiZVNVX3Upesa8N3
sRWqijuTzZborbrT9J99CfUYtRq+8ybC+K/f0y6UzPoueLaFfFb0T3P4it/8V/iW
b+rxr6FdxL9Z1ddBURT/EUQwhZU+A4BWSCv/FZibbLNHd5hWv1K4T2SVMpdOHh5p
1braaYqQpNw6/sgZ2CqfJcz/xYPsp1EOJld/vpS5jpHUizgy0Ohq1okpsxz/zw47
frPumszdfyRJqmdtHtorUCFQoywnbmBtnosoX1br8cpMtWvQEqi6l7NsRNqig0bc
DVXGcHCKj0+bkJSMIWcFGginLW4jibkCDQRjvZKEARAAuTgK6INJWBEzfrDMvM15
7ZGAM/7pyevj0WCDhqiCFdpH3MVt7+wq0tmR8Oo5Lt4AXqVtzn1bw1sMAkWKU6yx
LtS7cMiXOAPOtemTzWQkvk9o1FFygRQ8oyp4RUP4wj+W4lYaDhY+tJRDr/sR6grY
t/lZbfvEPuxL4jGW/dLSKHTLs8kh367Xm1qxqaG1C1tSLusTPb/8uNpOCANhA2HA
JRCGMox7f295+mEWXujif8yIfYtSQldqh+2bA6vaV3WKtHTPdLa1zzB20rf9Mguz
4ff3XDJCHPWOKeBOfqVS9CL67TZeOx0nJ6u2JnNDlwlzX7R63v1D/tSTYzPLmJeo
sIjpRQg4ELyyLSkj0lANvY/AwlKeTPkvoc76UwsQRFgxx6ZZjKObjAok6TQKHjsz
RNkeBWbbi8J+zvfS6U3+1qYtvf9Enpp1v1CWfEKZmC68MgspNCzLSOpkoAfek2iQ
/XsjKXSsaUXY5A1DljQTVbSs9G3OkQA0Eyv4JPj2KEXPoF/0sIt2QRrayyqk1lqN
4k9a3zEZ2WpkQLIRK5DgCE/ORHXkperEWrDiAfSvuVl999jxr+Jqi8qvlPrmaQd0
X5Wc5gpb7X72FMsb2UHaWsUEs6nwoAWnXgA3PGd0r9LihZMJXfMc+LSF/dRKfx+P
izkTXQbfML8fi7Il9JA1p4UAEQEAAYkEcgQYAQgAJhYhBPJtigqt9mbMso8qsWUO
wyU7ao/1BQJjvZKEAhsCBQkDwmcAAkAJEGUOwyU7ao/1wXQgBBkBCAAdFiEEytw9
HjtcTF+Upl14p79lqq27xJQFAmO9koQACgkQp79lqq27xJQG2hAAp4813NAuAOg4
C/Yvq8aqnDRDHw/ISs5XsQTfVwbIssSiSTqdJb4jX0rbKW1qzM6l15EmEsPV5MCG
fN8xfP5+UeeVIJaXLq3BMYJf1An8sun9f8Bp2Wdw6IDlr9VwFZ170JQ2xYvqVJ+s
/rxbCJ8K9neDPelzN/KXMyUV/uA5D1G92IlItinw4ZqD9e/CjPfIBwfNEMnZnYak
u4VGJfzaMHezaUTB8UVyFVN6Zv2PGYEUBCwISM61IdnGKnJza0NMnEvGstXNvtnW
k7H/12Q4/rDpApy68Qbuo8gbZIifjNY00u2iyx4BEvji418NfTdF5HuPHR4mg10c
z+FcWxo13PGTXHKprNC9Y4M5nMAZW8z05/2geD8jzmY9Yz3m0GSVF/0cD3pBrQ/L
XirxgJ2prCuE7Ax8XTTBg7+cjgqk0InKh2pF0sK+2UCbnN4hR+SQvR256hWIF+TP
/rDryaqdubqCOh7kytPnPqZtL8VqK7yDRhfmgxv3+bpvm+B2qm1okUCkH3bbAkvo
wTBOcyTqLw7hYsREHkYVROYg57GGhMStkzaD+lep9kEUgcaXZF41W02WJeS3VYXw
ooxFBKMhzm+cluLV+ujC+FnRslh7q/u90+3N2VljEjxA4Oj3RNAARzpOs0V2BtuU
siPCTvhRLBmdG3RH25jm2hUPexP2+pMyEw//V211M6+MT5a8kCybK5e93I3+eT2b
fAfd1k0kcQcfbocymxW5DJUqHgBj+G9ZC5PIAeFk+Jfld0y3M186NAvP8I4+ZNsJ
ExdQyp1CN53mSWtxAadgHNNhDKX0KwyCarCk04xbf0qjlsrWNbsUI04sM1ztC46N
/0JsCuG4uAztAfU9hjbLmSxpjf04Qqpc5NDlGLgZ2xQTVmXPlFg1DgrF6fIqWZwP
a7z1eihkrEERPjnisjuwMd4uO5BIkqh8F7HdOnARYXpftg9LReV973z7i8n94rhp
BedAHwVRqWo8owM8DOVTaHAQzMnnzB+6nCoOcZc7PzhWtKKhZupW2DYaLdIhnlVC
rmMSozkFn3shtOJ76XF2DMDpk0353w6i6rKghWC7TdpXPnWkHkExw4Pjnlse1NP2
vdz183NKqEKros463i+hOszQj7jb5DiFxxOnKUfxBNEMJXTqYzXdEzw7SncwNwTv
4pFxnk3XFJD3IIXMdaCDYmHIJYK5Fwgc0Cop3dRAMJIB+0Q1/p+urDXqZphqAGro
Z22Z1DXzv7rm1x2drZyOBohc+dqn3zjEx+lwZ6CY8XPiQgbWEzSzY8YT4oUAxRcs
9cJ+0SK/HhW/EG51YNbr5IMDb3HvycHEreszEvwq2HdnsMIYdM8GC7fl7Zpp0r+S
1089BYMqKmhepps=
=f7uO
-----END PGP PUBLIC KEY BLOCK-----