Security Disclosure
We actively support and encourage industry disclosure of security vulnerabilities.
Signify takes the security of our applications very seriously. All software has vulnerabilities and it is how you deal with these vulnerabilities that is important.
We encourage all our clients to subscribe to regular security patching of their operating systems and applications. Sometimes, however, this may not be enough to fully eliminate issues.
We are happy to work with anyone that identifies an issue on a website that we manage or have built. We work with our clients to try and resolve any issues raised before they become problems. If you think you have identified an issue then please raise it with us using one of the methods below.
What is Responsible Disclosure?
Responsible disclosure is about
-
Ensuring vulnerabilities can be identified and eliminated effectively and efficiently for all parties
-
Minimising the risk from vulnerabilities that could allow damage to customer’s systems
-
Providing customers with sufficient information for them to evaluate the level of security in vendors' products
-
Providing the security community with the information necessary to develop tools and methods for identifying, managing, and reducing the risks of vulnerabilities in information technology
-
Minimising the amount of time and resources required to manage vulnerability information
-
Facilitating long-term research and development of techniques, products, and processes for avoiding or mitigating vulnerabilities
-
Minimising the amount of antagonism that often exists between parties as a result of different assumptions and expectations, due to the lack of consistent and explicit disclosure practices
How does Signify encourage Responsible disclosure?
-
By encouraging you to contact us providing as much or as little information as you like. If you would like to anonymously let Signify know of an issue this is the direct way to do it.
-
You can complete the Disclosure form. Your name, email and contact number are optional.
-
You can email us at disclosure@signify.co.nz. Please provide us with as much information as possible to identify, recreate and solve this issue.
-
Or let us know about the issue by contacting the New Zealand Internet Task Force on disclosure@nzitf.org.nz. If you would like to stay anonymous make sure you let them know. They will work with you to provide Signify with enough information to address the issue but nothing to identify you, unless you want to be identified.
Acknowledgements
Reverse Tabnabbing
Raised by | Gul Hameed
Issue
Links on the site opened new tabs without preventing the opened tabs from being able to modify the opener. Gul Hameed identified the issue, showed us how it could be exploited, and showed us how to fix links to avoid the problem.
Information Disclosure
Raised by | Ratnadip Gajbhiye ( Mr.Ch4rLi3 )
Issue
A folder existed on one of our test sites that disclosed information that should not be exposed. Ratnadip found this directory and sent a very clear email explaining this issue which we subsequently resolved.
Clickjacking
Raised by
- Pawan B. Iname
- Shivam Khambe
- Lewis Hardy
- Mohd Asif Khan
- Sakshi Patil
- Aakash Kharade
- Pranav Bhandari
- Auntor>
- divineson
Issue
The site was not adding security-enhancing headers to responses, notably X-Frame-Options.
Email DNS records
Signify has a weak SPF record and does not implement a DMARC record on our domain signify.co.nz. This gets picked up by a lot of the automated scan tools people point at our domain. We have had this raised with us a lot of times and this is not something we plan on changing.
Software version Information disclosure warnings
We often get false positive reports of vulnerabilities based on information disclosure data being available. we patch all our servers and software on a regular basis, so these types of issues are more about perception than actual vulnerabilities.
Want to Know More?
The New Zealand Internet Task Force (NZITF) has released guidelines on how New Zealanders and NZ companies can implement coordinated disclosure.
These guidelines will help security researchers and organisations to work together when disclosing and addressing vulnerabilities in ICT systems.
Download the guideline from the NZITF on coordinated disclosure.
Interested?
Talk to us to find out more about how we can help with your digital project.