Certisyn builds verification infrastructure institutions rely on, so the security of our systems is the product. We welcome and value the work of security researchers. If you believe you have found a vulnerability, this page tells you how to report it, what is in scope, and the commitment we make to you in return.

How to report

Email security@certisyn.com. Please include enough detail to reproduce the issue: the affected URL or endpoint, a description of the vulnerability, the steps to reproduce, and your assessment of the impact. A proof-of-concept helps, but please keep it to the minimum needed to demonstrate the issue. If you wish to encrypt your report, our PGP key is referenced in our security.txt.

Scope

In scope:

• certisyn.com and its subdomains, including app.certisyn.com and the sovereign-workspace surfaces (allied, litigation, imprimatur, forensis).
• The Certisyn public API.

Out of scope:

• Volumetric denial-of-service and other availability tests.
• Social engineering, phishing of staff or partners, and physical attacks.
• Vulnerabilities in third-party services we use (e.g. our hosting, database, or edge providers) — report those to the provider.
• Reports that consist only of automated-scanner output or missing best-practice headers without a demonstrated security impact.

Safe harbour

If you make a good-faith effort to comply with this policy during your research, we will consider your research authorised, we will work with you to understand and resolve the issue quickly, and we will not pursue or support legal action against you. We will not treat your work as a breach of our terms of service. If legal action is initiated by a third party against you for activity conducted in accordance with this policy, we will make this authorisation known.

Rules of engagement

• Only ever test against accounts and data you own or have explicit permission to use.
• Do not access, modify, exfiltrate, or destroy data that does not belong to you. Stop at the point a vulnerability is demonstrated.
• Do not degrade the service for others.
• Give us a reasonable opportunity to remediate before any public disclosure, and coordinate the timing of any disclosure with us.

Our commitment

We will acknowledge your report within three business days, keep you informed as we investigate and remediate, and — with your permission — credit you once the issue is resolved. We do not currently operate a paid bounty programme, but we recognise and are grateful for responsible disclosure.

This policy is also published in machine-readable form at /.well-known/security.txt per RFC 9116.