Security

At WeSignature, we are committed to protecting the security of our users and appreciate the efforts of independent researchers in identifying potential vulnerabilities. To foster a responsible approach to security, we encourage researchers to report vulnerabilities in a manner that safeguards user data and maintains system integrity.

To ensure the security of our platform and its users, we ask that researchers adhere to ethical guidelines, comply with applicable laws, and avoid actions that could disrupt our services, degrade performance, or compromise data. Additionally, we request that all findings be kept confidential until WeSignature has had the opportunity to assess and address any identified issues.

Scope

This policy applies to:

• All domains and subdomains operated by WeSignature.
• All WeSignature products and services.

How to Report a Security Issue

To help us assess and resolve reported vulnerabilities efficiently, please provide:

• A clear description of the issue, including how it can be reproduced and its potential impact.
• Specific details about the affected feature, product, or service, including relevant URLs.
• A proof-of-concept or logs demonstrating how the vulnerability can be exploited.
• Any required configurations or conditions necessary to trigger the issue.

To report a security vulnerability, please email support@wesignature.com.

What Happens After You Report a Vulnerability?

Once we receive your report, we will review the submission and determine the best course of action. You can expect:

• Acknowledgment of receipt within a reasonable timeframe.
• Updates on our assessment process and any additional information requests.
• Notification once the vulnerability has been addressed.

Issues Considered Out of Scope

Certain types of vulnerabilities do not qualify for our disclosure program, including but not limited to:

• Recommendations that do not pose a direct security risk.
• Email spoofing or issues related to DMARC records.
• Clickjacking on pages without sensitive interactions.
• Cross-site request forgery (CSRF) attacks that do not require authentication.
• Vulnerabilities in third-party platforms outside of WeSignature’s control.
• Issues that do not create a meaningful security risk for users or the platform.

Prohibited Activities

To ensure responsible security testing, researchers must avoid:

• Actions that negatively impact WeSignature, its users, or infrastructure (e.g., denial-of-service attacks, brute force attacks, spamming).
• Accessing, modifying, storing, or sharing data that does not belong to them.
• Destroying, corrupting, or tampering with WeSignature data or services.
• Attacking WeSignature employees, contractors, or data centers.
• Using social engineering tactics to gain unauthorized access.
• Conducting vulnerability tests on live services without permission.
• Violating any laws or third-party agreements during research.

Unauthorized public disclosure of vulnerabilities before WeSignature has addressed them will be considered a violation of this policy.

Legal Considerations & Safe Harbor

WeSignature is committed to working with security researchers in good faith. We will not take legal action against individuals who:

• Follow the guidelines in this policy.
• Report vulnerabilities in good faith, without malicious intent.
• Avoid privacy violations, service disruptions, and data destruction.

WeSignature reserves the right to revise this policy at any time.

Bug Bounty Program

At this time, WeSignature does not offer a paid bug bounty program, but this may change in the future.