We actively support and encourage industry disclosure of security vulnerabilities.
Signify takes the security of our applications very seriously. All software has vulnerabilities and it is how you deal with these vulnerabilities that is important.
We encourage all our clients to subscribe to regular security patching of their operating systems and applications. Sometimes, however, this may not be enough to fully eliminate issues.
We are happy to work with anyone that identifies an issue on a website that we manage or have built. We work with our clients to try and resolve any issues raised before they become problems. If you think you have identified an issue then please raise it with us using one of the methods below.
Ensuring vulnerabilities can be identified and eliminated effectively and efficiently for all parties
Minimising the risk from vulnerabilities that could allow damage to customer’s systems
Providing customers with sufficient information for them to evaluate the level of security in vendors' products
Providing the security community with the information necessary to develop tools and methods for identifying, managing, and reducing the risks of vulnerabilities in information technology
Minimising the amount of time and resources required to manage vulnerability information
Facilitating long-term research and development of techniques, products, and processes for avoiding or mitigating vulnerabilities
Minimising the amount of antagonism that often exists between parties as a result of different assumptions and expectations, due to the lack of consistent and explicit disclosure practices
By encouraging you to contact us providing as much or as little information as you like. If you would like to anonymously let Signify know of an issue this is the direct way to do it.
You can complete the Disclosure form. Your name, email and contact number are optional.
You can email us at firstname.lastname@example.org. Please provide us with as much information as possible to identify, recreate and solve this issue.
Or let us know about the issue by contacting the New Zealand Internet Task Force on email@example.com. If you would like to stay anonymous make sure you let them know. They will work with you to provide Signify with enough information to address the issue but nothing to identify you, unless you want to be identified.
Raised by: Gul Hameed
Issue: Links on the site opened new tabs without preventing the opened tabs from being able to modify the opener. Gul Hameed identified the issue, showed us how it could be exploited, and showed us how to fix links to avoid the problem.
Raised by: Ratnadip Gajbhiye ( Mr.Ch4rLi3 )
Issue: A folder existed on one of our test sites that disclosed information that should not be exposed. Ratnadip found this directory and sent a very clear email explaining this issue which we subsequently resolved.
Issue: The site was not adding security-enhancing headers to responses, notably X-Frame-Options.
Email DNS records
Signify has a weak SPF record and does not implement a DMARC record on our domain signify.co.nz. This gets picked up by a lot of the automated scan tools people point at our domain. We have had this raised with us a lot of times and this is not something we plan on changing.
Software version Information disclosure warnings
We often get false positive reports of vulnerabilities based on information disclosure data being available. we patch all our servers and software on a regular basis, so these types of issues are more about perception than actual vulnerabilities.
The New Zealand Internet Task Force (NZITF) has released guidelines on how New Zealanders and NZ companies can implement coordinated disclosure.
These guidelines will help security researchers and organisations to work together when disclosing and addressing vulnerabilities in ICT systems.
Download the guideline from the NZITF on coordinated disclosure.