Disclosure Board

The following list highlights recent disclosures:

SPF

We regularly receive feedback on our use of SPF records. 

Signify does not use a DNS SPF record for mail management. This is intentional, so please do not submit an issue about this.

Information Leakage

An issue raised to Signify was that a version control ignore file on our site was leaking information.

While we do not consider this to be a vulnerability in itself, it did highlight a non standard practice and as a result we have altered our deployment process to remove these files before they could be deployed to any test or production environment.

Apache injection in error pages

An issue was identified that URIs can be modified to inject text into an Apache error page.

The text cannot take advantage of SQL injection or JavaScript manipulation and Apache do not consider this it to be a issue. We agree with Apache that it is not a "bug" but we also agree with the submitter that it is not a good look. This said we have modified our error pages to avoid this occurring.

Thank you to everyone for contributing to make our site(s) safe!