Responsible Disclosure Policy

Digital Asset takes security very seriously for our customers, our products, and our staff. If you are a Security Researcher and have discovered a vulnerability in our website or products, we appreciate your help in disclosing this to us in a responsible manner.

Digital Asset will engage with security researchers when vulnerabilities are reported to us in accordance with this Responsible Disclosure Policy. We will validate, respond, and fix vulnerabilities in accordance with our commitment to security and privacy. We won’t take legal action against those who discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy. Digital Asset reserves all of its legal rights in the event of any noncompliance.

Guidelines

Responsible Disclosure helps increase security for affected organizations and the community as a whole. Please follow the guidelines below:

  • Don’t disclose a bug or vulnerability on public notice boards, mailing lists, or other public forums, prior to Responsible Disclosure and an appropriate opportunity for it to be fixed.
  • Do not utilize an exploit to view data without authorization, or compromise the confidentiality or availability.
  • Do not perform an attack that would impact the reliability/availability of services. DDoS/Spam attacks are not allowed.
  • Don’t use scanners or automated tools to find vulnerabilities. They can have unintended consequences or impact.
  • Never attempt non-technical attacks, such as social engineering, phishing, or physical attacks against our employees or infrastructure.
  • Do not ask for compensation from an affected firm or through any “marketplace” for vulnerabilities.

While researching, we would like you to refrain from:

  • Denial of Service (DOS) and Distributed Denial of Service (DDOS)
  • Spamming
  • Clickjacking
  • Email bombing/Flooding/rate limiting
  • Social Engineering or phishing of Digital Asset’s employees or contractors
  • Any attack against Digital Asset’s physical property or data centers
  • Scanning Digital Asset infrastructure or products using automated vulnerability scanners
  • Vulnerabilities in Third party SaaS applications and integrations we use
  • Username/E-mail enumeration
  • Missing HTTP security headers or issues related to HTTP headers
  • Missing DMARC, SPF, DANE and CAA records
  • OAuth Misconfiguration
  • Logout Cross-Site Request Forgery
  • EXIF and Geolocation related vulnerabilities

How to Report an Issue

If you believe you have discovered a vulnerability in our software, please contact security@digitalasset.com. Please do not publicly disclose suspected vulnerabilities without prior consent from Digital Asset.

In reporting vulnerabilities, please send details of:

  • Suspected vulnerability.
  • Steps to enable us to reproduce the issue.
  • Your email address and a secure mechanism to contact you.
  • Your name (and/or colleagues) if you would like to be recognized on this page, e.g., your Twitter handle or website as it should be displayed.

You can use the PGP public key below to encrypt your email communication to us. Please include a secure contact mechanism for us to contact you.

Response and Recognition

We will investigate any details you provide and respond as soon as possible, usually one business day.

To acknowledge the first person who alerts us to previously unknown vulnerabilities, we will show our gratitude by placing their name in the Acknowledgements list below. We do not offer a bug bounty program and compensation requests will not be considered in compliance with this Responsible Disclosure Policy.

Acknowledgements

Digital Asset thanks the following individuals and organizations that have identified vulnerabilities in accordance with this Responsible Disclosure Policy:

PGP Public Key

-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBGO9khIBEAC/D5WTgMJQGQso1JfN5RTq6YiCBwJ+L84YfKCPUo1yW7/RQHNZ +5rYUQpGf1K5KCIhHtJeQyANzPy9KWnhDX6lIaoau6Dg9JK3SwNv20jDyCzZOjNW Gfajy7xVTWXmYM/us8/A5kJN4pwEGIUL73n2uOtOzhpJ6TGLujNKB5EfGUO1L2Jr v9BGx2ghv+dbdR3kPX6SYuj7U+tDvoaqJB8729kL14grpBqYy2YhF5eoLyvBaE9x brDydUCu5t2Xpr7yI7xGOhUSn2ygoP3e9YSjOhowj5U5oFtTGxvqSf7xd9gkFaZY uA58X3su0nxZ/9nbvb2RJPKtlUeOJS8pggXVSSGrHfWw3Bnu2G1pQNO+MYCS0Cu/ gMxQTnJ4itUNoFb3c9dSnB/VXWxsvlK3F+EdFg9HLNiStJVxPhPwgTo138ohTI1H 4eGdXpRPZSKNXGRRtWdbEseYBSDBzR0ulAn5TDXFDFjjJ5u7KJfdN7p9YaXWkXpB +hvsiWJuvUDxTGlQE02PQjyN5vzj1NaU7CRRLvOYSstsOyTmuYg/xxvqA9XbPdti g9AtaeYSjRzq7OBq79FhcmKDOfh7Zc07RRXHy2xTdvw+Iy5HEjk0fYFz+1Gtp78U 0iTv8tdqyh8dPvmuF7UbGWMJEMMD5d2goEw2ZnkqmLPFK5jq8qAshaQw9wARAQAB tDdEaWdpdGFsIEFzc2V0IEhvbGRpbmdzLCBMTEMgPHNlY3VyaXR5QGRpZ2l0YWxh c3NldC5jb20+iQJOBBMBCAA4FiEE8m2KCq32ZsyyjyqxZQ7DJTtqj/UFAmO9khIC GwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQZQ7DJTtqj/WMbg/+K0Mte9y+ fCaWxFctfUbtd/JZBzpSCVMLN7PjZYZ50SwN/CqILUTFzzVLIx7uj/CyH/e1IV2O RR7mWFTSADmkdrM45RBCvDs2UEIl3Rpsg/4iRpCZo01YQL9Y1XyUid8F3cQYmwPk 4YMY+tqqEhObAq0ngrGWiEWMUixbbRVqlPvRZDMeUNGdvmSOCs9LZLEnE9m4g2Kn lNKddfLZ+sHaq2bfOiB+mZECX6wTusjqQWeJPRdflVWwMxZ7IkG9YoQHGlg8fTMd 3NqPE9OHOQiZhN4MbY6QZ70WexUNab8Pzf1Co4sSGhywVI3JibcqCNIbHW21+1py OItJvdMxeSscOde2Fm5Dqmhf8UE+xgvPXa5xA5Yf40AqwuKt7boGsMf09Lf7zitX 5Zzl81saIPVC4OcM51t+sNDP6uJIynP5Dp1fxaIlb8gcQDqyWB/REr0vY1pRf/61 M8+jfUP3RJMbX/tUiCxEG+1uDSGTqj2Ac4TqiXfFKpg+TdEzNFj9VtrzTJT/tIgj QlrKM9P9iB/JrNtqgeYrhaBZSpVKx4J7LNeIGdVJvRVzlW3tvCsTIT/lp/iJ1YjI FCdb76leR/PgQNdk4wyU4JLXOYueEPAbyiBqQwgmOoT8GpY1PP4dsFfu7MoV0Cq7 //q+uwegRr5lLV6LwSBuFd1hqQ9ZdjAmmRiJATMEEAEIAB0WIQRJEajf6Xas36Bx MNvoNywMHHNMUQUCY72TEAAKCRDoNywMHHNMUa21B/kBfEoA2g3Ku4x4wul8SwZV YxddOd0Q3Fi3olC4G4bY58WVM9mcpuHxzPsjdf7Z/Msrp6sj8pv6lk4uR2DG1+Jr 1m1hzJFksnIo6mYDbgFd12UeISySrEYdQoEfNs4OyZ4FRwikdsDHr1jBeGjRe72P wUzE8bcT4BVkf8A7avhr4CT5fqXPBlRZFZ8zh1Jn8kuKXvL3MbbKwfUMmMkGF3hi q7Gfzse7DmcTlysxZLo6Hd/MkWWrf4pGSAkSXsM3iNADxG8tQx0iXQjY9Js9pqfV 3NnxgGp/K2LC2HmlvUHrT3ijvU2BmWcUKAAUicGB/XBJOpIzAJHZqHyQUYcTO5pO uQINBGO9khIBEACj/g921STwurMUo6v91B/YYsTYXJhutcOl9bltMeYzDGDe9opZ wy24LIAN6hMmfBv4t+J1FOCv1mZFoJyefZTjyFX9OcsxJ3rEuoWx11M3emsnloT1 M8MSwT8t8iVMOyEZBRfT/QDAWq2gKdu2blsuNE2vG1SnPQ4BHlrnrMhQKrO+Fu3E XxptEggKfEdyPksqI+uvo6V2Ce7BbXluCE6q0HI+uIwbRgfJEDnvCbwuAjrnVydQ aSoxMcSEJUiu9vbc9L7Ivoc0H2nP9Zt49PNrB/PWVPMuBkKY1qOmMhMyMSgYKBKI A9Ar2DnifZytVL96VRSsgtSncrEPob/vVd80KDmhhetdeXCMEFNXsCElJIgjh8zG JKxF7GwTiZQpqJri54zIbF4bebVeHnPGsZ+kDO6kX0kf90dEWcHQHGtKGQTeGTqJ FLmZ0e/xccojoSopRluYl/tJtVbyhwSJhTP1Zgl8OIc3FmVGWuSuhG6XoO81jd2t ZF2fim9oJalmE+T6t3dZvkbSTorsp7sq9QZ1+jr40zVk5ij6jvMdtt3WaTRnSurH 1FHmeuzqJCP5dnQCzrmUXLgiyt9iwbiZpP3S7eAY3pvSExbdhAm9fkU2tWljpvLk uwSlIgxnnVutt/Ydx3m3VXp4qdb6GNxHcKYkMYLAg94Nkm84/TOVBjrFswARAQAB iQI8BBgBCAAmAhsMFiEE8m2KCq32ZsyyjyqxZQ7DJTtqj/UFAmO9ksQFCQPCZ7IA CgkQZQ7DJTtqj/XX8g//Tu+kWWCOsPMSBDqCv3MP/+CANG2zf7wtrZ+Zdc1G2uk6 14QmCq/ev/2CUvRXdt/Rn+JAuwBG0sn+AES23s47TlRt9xpX6xBR34ITCoaYzEIG +vDRcOVNnizBXOwQfxbuL0h6gjGdyGozP+OuZKvoy8UzYriNeDBbNTixg+VmwKPV RMwVG4t5ivwgeMb9lBHdsumQGbglzj9vj69j+1veBArvzdHYZ4rZAIq4F60t52Un bi6Yyv0pFM73WOuNhh8MtItzNtGba6e6NVLu87ZQ/cg1G5LDMobJBuyPpNjRiwMM /whvdRka2HVKaFrD5VOVy8sYxwpkgqve6okUipRjty2yIk0Wra7/uH3HZ7TdBDP5 yXn3bSkvPqmapDzBqlEZQyXD5yKR5IxnHKxCc+GhgdP+Cq/VAwZ1gz7B/dhOpUWu UJcwzqJRKoBR8skT9SWCR90RilZWCq3C5ZbgA4kWFwmncLV755CRsX4NgxiAp+Wx CJz7TPmxITtyH6q44qb0/0Md/zek/oYh8pdmMotJaFIW1rE7rks/g9O8I/+F9Xr7 mmgHOekUsL9Meqy0o5GI9SO1d5zL3Htn8DRYiby3RnzHCGMsazsDtuHBcM2DGKEw xZn/DJDfx/5ISmYpLHZyMX3ARX8lrjwPLOTt2bPdAHJNyLyu7gIUQ89T6UemPtW5 Ag0EY72ShAEQALk4CuiDSVgRM36wzLzNee2RgDP+6cnr49Fgg4aoghXaR9zFbe/s KtLZkfDqOS7eAF6lbc59W8NbDAJFilOssS7Uu3DIlzgDzrXpk81kJL5PaNRRcoEU PKMqeEVD+MI/luJWGg4WPrSUQ6/7EeoK2Lf5WW37xD7sS+Ixlv3S0ih0y7PJId+u 15tasamhtQtbUi7rEz2//LjaTggDYQNhwCUQhjKMe39vefphFl7o4n/MiH2LUkJX aoftmwOr2ld1irR0z3S2tc8wdtK3/TILs+H391wyQhz1jingTn6lUvQi+u02Xjsd JyertiZzQ5cJc1+0et79Q/7Uk2Mzy5iXqLCI6UUIOBC8si0pI9JQDb2PwMJSnkz5 L6HO+lMLEERYMcemWYyjm4wKJOk0Ch47M0TZHgVm24vCfs730ulN/tamLb3/RJ6a db9QlnxCmZguvDILKTQsy0jqZKAH3pNokP17Iyl0rGlF2OQNQ5Y0E1W0rPRtzpEA NBMr+CT49ihFz6Bf9LCLdkEa2ssqpNZajeJPWt8xGdlqZECyESuQ4AhPzkR15KXq xFqw4gH0r7lZfffY8a/iaovKr5T65mkHdF+VnOYKW+1+9hTLG9lB2lrFBLOp8KAF p14ANzxndK/S4oWTCV3zHPi0hf3USn8fj4s5E10G3zC/H4uyJfSQNaeFABEBAAGJ BHIEGAEIACYWIQTybYoKrfZmzLKPKrFlDsMlO2qP9QUCY72ShAIbAgUJA8JnAAJA CRBlDsMlO2qP9cF0IAQZAQgAHRYhBMrcPR47XExflKZdeKe/Zaqtu8SUBQJjvZKE AAoJEKe/Zaqtu8SUBtoQAKePNdzQLgDoOAv2L6vGqpw0Qx8PyErOV7EE31cGyLLE okk6nSW+I19K2yltaszOpdeRJhLD1eTAhnzfMXz+flHnlSCWly6twTGCX9QJ/LLp /X/AadlncOiA5a/VcBWde9CUNsWL6lSfrP68WwifCvZ3gz3pczfylzMlFf7gOQ9R vdiJSLYp8OGag/Xvwoz3yAcHzRDJ2Z2GpLuFRiX82jB3s2lEwfFFchVTemb9jxmB FAQsCEjOtSHZxipyc2tDTJxLxrLVzb7Z1pOx/9dkOP6w6QKcuvEG7qPIG2SIn4zW NNLtosseARL44uNfDX03ReR7jx0eJoNdHM/hXFsaNdzxk1xyqazQvWODOZzAGVvM 9Of9oHg/I85mPWM95tBklRf9HA96Qa0Py14q8YCdqawrhOwMfF00wYO/nI4KpNCJ yodqRdLCvtlAm5zeIUfkkL0dueoViBfkz/6w68mqnbm6gjoe5MrT5z6mbS/Faiu8 g0YX5oMb9/m6b5vgdqptaJFApB922wJL6MEwTnMk6i8O4WLERB5GFUTmIOexhoTE rZM2g/pXqfZBFIHGl2ReNVtNliXkt1WF8KKMRQSjIc5vnJbi1frowvhZ0bJYe6v7 vdPtzdlZYxI8QODo90TQAEc6TrNFdgbblLIjwk74USwZnRt0R9uY5toVD3sT9vqT MhMP/1dtdTOvjE+WvJAsmyuXvdyN/nk9m3wH3dZNJHEHH26HMpsVuQyVKh4AY/hv WQuTyAHhZPiX5XdMtzNfOjQLz/COPmTbCRMXUMqdQjed5klrcQGnYBzTYQyl9CsM gmqwpNOMW39Ko5bK1jW7FCNOLDNc7QuOjf9CbArhuLgM7QH1PYY2y5ksaY39OEKq XOTQ5Ri4GdsUE1Zlz5RYNQ4KxenyKlmcD2u89XooZKxBET454rI7sDHeLjuQSJKo fBex3TpwEWF6X7YPS0Xlfe98+4vJ/eK4aQXnQB8FUalqPKMDPAzlU2hwEMzJ58wf upwqDnGXOz84VrSioWbqVtg2Gi3SIZ5VQq5jEqM5BZ97IbTie+lxdgzA6ZNN+d8O ouqyoIVgu03aVz51pB5BMcOD455bHtTT9r3c9fNzSqhCq6LOOt4voTrM0I+42+Q4 hccTpylH8QTRDCV06mM13RM8O0p3MDcE7+KRcZ5N1xSQ9yCFzHWgg2JhyCWCuRcI HNAqKd3UQDCSAftENf6frqw16maYagBq6GdtmdQ187+65tcdna2cjgaIXPnap984 xMfpcGegmPFz4kIG1hM0s2PGE+KFAMUXLPXCftEivx4VvxBudWDW6+SDA29x78nB
xK3rMxL8Kth3Z7DCGHTPBgu35e2aadK/ktdPPQWDKipoXqab
=4xHS
-----END PGP PUBLIC KEY BLOCK-----