Skip to content

Security: Signos-app/verify

Security

SECURITY.md

Security Policy

Reporting a vulnerability

Please do not file public issues for security vulnerabilities. Email russ@signos.app with:

  • A description of the issue
  • Steps to reproduce (or a proof-of-concept)
  • Affected version (commit SHA or tag)
  • Whether the issue is already public

We aim to acknowledge receipt within 48 hours and provide a remediation timeline within 7 days. Critical issues affecting verification correctness or user privacy are prioritized.

In scope

  • The verification logic in this repo (src/)
  • The deployed site at verify.signos.app
  • The sealed-file format used by this verifier (cross-references the spec at Signos-app/spec)
  • The CI/CD pipeline that builds and deploys this code

Out of scope

  • The Signos iOS app — closed source, distributed only through the App Store. Report iOS issues directly to Apple or via the App Store.
  • The Signos backend (api.signos.app, etc.) — not part of this repo. Critical infrastructure issues can still be reported via this address; we'll route them.
  • Algorand blockchain protocol issues — report to Algorand Foundation.
  • Browser, OS, or third-party library vulnerabilities (BLAKE3 WASM, ExifReader, Vite, etc.) — report upstream.
  • The fact that anyone can submit metadata claiming to be from Signos: this verifier checks whether the on-chain record matches; mismatched files fail verification by design. That's not a vulnerability, that's how it works.

What "vulnerability" means here

Examples of in-scope issues:

  • A file that should fail verification passes
  • A file that should pass verification fails (false negative)
  • A way to forge a Signos seal that this verifier accepts
  • A way to extract user data the verifier shouldn't have access to (it doesn't collect any, but bugs happen)
  • A cross-site scripting / supply chain / build-pipeline attack against the deployed site
  • Privacy leaks (any analytics, telemetry, or third-party calls we're not aware of)

Coordinated disclosure

We'll credit reporters in release notes if desired. We'll publish a security advisory on this repo for any confirmed in-scope vulnerability after a fix is deployed.

No bug bounty (yet)

We don't have a paid bounty program. We do appreciate the work and will publicly thank credible reporters.

There aren’t any published security advisories