Please do not open a public GitHub issue for security vulnerabilities.
Email security@sigilo.id with:
- A description of the vulnerability and its potential impact
- Steps to reproduce, including any proof-of-concept code
- The version(s) of
@sigilo/verifyaffected - Your name and contact information (you'll be credited if you wish)
We acknowledge receipt within 24 hours and provide an initial assessment within 72 hours. We aim to publish a fix within 90 days of confirmation; critical vulnerabilities are typically patched within 7 days.
PGP key fingerprint and full disclosure policy at sigilo.id/security.
This policy covers:
- The
@sigilo/verifypackage and all its published versions - The Sigilo network APIs documented at docs.sigilo.id
- The Sigilo wallet apps for iOS and Android
Out of scope:
- Third-party issuer implementations (report to the issuer directly)
- Third-party wallet implementations
- Demonstrably theoretical attacks that require unrealistic preconditions
We will not pursue legal action against researchers who:
- Make a good-faith effort to comply with this policy
- Avoid privacy violations, data destruction, and service degradation
- Do not exploit a vulnerability beyond what is necessary to demonstrate it
- Give us reasonable time to remediate before public disclosure
A formal bug bounty programme launches with v1.0. Until then, exceptional reports may be rewarded at our discretion. We will always credit reporters in our release notes (unless you request anonymity).
Researchers who have responsibly disclosed vulnerabilities will be listed here.