Sigma Vulnerability Disclosure Policy
Sigma is committed to the security and protection of our products, services, customer data, and infrastructure. We recognize the value of engaging with external security researchers in identifying and mitigating security vulnerabilities.
We will appreciate a responsible submission if you believe you’ve found a security vulnerability in a Sigma Computing product. You can submit a detailed description of the issue to us, including the steps that we can take to reproduce the issue and/or a proof-of-concept (“Report”).
We ask that reporters honor responsible disclosure principles and processes while engaging with us in order for Sigma to evaluate, respond to, or remediate any confirmed security vulnerabilities before public or third-party disclosure.
Responsible Reporting and Disclosure
Sigma believes in responsible reporting and disclosure, and we ask the following:
- Do not violate the privacy of other users, destroy data, or disrupt services
- Promptly report the vulnerability to us and provide as much detail so we can reproduce the vulnerability.
- Report the details of the security vulnerability to us without sharing any information of the vulnerability publicly.
- Do not disrupt or degrade Sigma’s products and services.
- Do not access, modify, destroy, or violate the privacy of any Sigma customer or data.
- Comply with all applicable laws.
- Avoid degradation of user experience, disruption to production systems, and any access, copying, destruction, or manipulation of data.
- Once you’ve established that a vulnerability exists or encountered any of the sensitive data outlined below, you must stop your test and notify us immediately.
- You will NOT be Executing, or attempting to execute, a denial of service attack.
This policy applies to all the products, services, and infrastructure developed, managed, and maintained by Sigma Computing.
Rules of Engagement
Certain vulnerabilities are considered out of scope and include the following:
- Physical attacks against our infrastructure, facilities, offices
- Social engineering attacks, including those targeting our employees, contractors, vendors
- Denial of Service attacks or any activity leading to the disruption of our service
- Any vulnerability obtained from a compromised account
- Scanner output or scanner generated reports
- User Interface or bugs
- Denial of Service or situations where the site and application are not responding.
- Network vulnerabilities (e.g, account takeover, spam, clickjacking, fingerprinting)
- Vulnerabilities in product versions no longer under active support
- Vulnerabilities already known to Sigma
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user’s device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Rate limiting or bruteforce issues on non-authentication endpoints
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies
- Mail configuration issues including SPF, DKIM, DMARC settings
- Password or account recovery policies, such as reset link expiration or password complexity
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
- Phishing attacks
- Issues that require unlikely user interaction.
- Testers will not modify or remove any accounts not added by the tester as multiple testers will be using the tenant / org.
- Testers will not modify the “Authentication” page of any designated testing Org.
- Testers will limit testing to the URLs/Orgs provided in the Testing Guidance section below. Any other URL including free trial is not available for such testing purposes.
If you encounter any of the below on Sigma Computing systems while testing within the scope of this policy, stop your test and notify us immediately:
- Personal Identifiable Information (PII)
- Customer Data or Account Credentials
- Financial information (e.g., credit card or bank account numbers)
- Proprietary information or trade secrets of companies of any party
- Denial of Service or situations where the site and application are not responding
Reporting a Security Vulnerability
If you believe you have discovered a security vulnerability issue, please share the details with Sigma Computing by filling the form below.
Sigma Computing will try to acknowledge receipt of your report within 2 business days, provide you with an estimated timetable for resolution of the vulnerability, notify you when the vulnerability is fixed, and, with your permission, publicly acknowledge your responsible disclosure.
Email communication between you and Sigma Computing, including without limitation, emails you send to Sigma Computing reporting a potential security vulnerability, should not contain any of your proprietary information. The contents of all email communication you send to Sigma Computing shall be considered non-proprietary. Sigma Computing, or any of its affiliates, may use such communication or material for any purpose whatsoever, including, but not limited to, reproduction, disclosure, transmission, publication, broadcast, and further posting.
Further, Sigma Computing and its affiliates are free to use any ideas, concepts, know-how, or techniques contained in any communication or material you send to Sigma Computing for any purpose whatsoever, including, but not limited to, fixing, developing, manufacturing, and marketing products. By submitting any information, you are granting Sigma Computing a perpetual, royalty-free and irrevocable right and license to use, reproduce, modify, adapt, publish, translate, distribute, transmit, publicly display, publicly perform, sublicense, create derivative works from, transfer and sell such information.
Sigma is unable to award a bounty to reporters who reside in a country that has been deemed sanctioned by the United States. Sigma employees or previous employees (within the last six months), contractors, and their family members are not eligible for bounties.
Testers should create a dedicated testing account by going to https://staging.sigmacomputing.io/public-vdp or https://staging.sigmacomputing.io/public-vdp-2 and creating an account using a gmail, yahoo, hotmail or protonmail email address. Specify your testing account name with the prefix “bugbounty-“. Once you have access to the instance, please view the workspaces or templates section for further details.
For any questions on the policy and for further help, please write to us at firstname.lastname@example.org
Note: Sigma Computing reserves the right to update the policy at any time.