Sigrel

Responsible Disclosure

Last updated: 2026-05-11

Heads up. Like the other legal pages on this site, this is a draft authored against the actual product. It is pending review by counsel and the operator's legal-tech provider (Termly). The substance reflects how we will run the program in practice; specific wording may change after that review.

1. We want to hear from you

Sigrel handles sensitive identity data on behalf of consumers. If you find a security issue, please tell us — promptly, privately, and in good faith. We commit to working with you to understand it, fix it, and credit your research where appropriate.

2. Scope

The following assets are in scope for this program:

  • sigrel.com and its subdomains (www.sigrel.com, app.sigrel.com, api.sigrel.com).
  • Our authentication endpoints and session-handling logic.
  • The public exposure-scan endpoint at /api/v1/scan.
  • The authenticated API at api.sigrel.com for any logged-in flow.
  • The Sigrel web app — including the dashboard, vault, breach detail, scan history, chat advisor, attack-chain views, and settings pages.
  • The Sigrel mobile / installable PWA shell.

3. Out of scope

The following are out of scope; reports about them will be closed without triage. This is not a complete list — use judgement.

  • Third-party services. Bugs in Supabase, Stripe, Cloudflare, Fly.io, Vercel, Upstash, Resend, Anthropic, OpenAI, xAI, EasyOptOuts, or our intelligence partners should be reported to those vendors directly. We will route reports we receive about them, but our security team does not have the authority to fix them.
  • Social engineering. Attempting to phish, vish, or otherwise manipulate our staff, contractors, or users.
  • Physical attacks. Access to our (or our service providers') physical infrastructure.
  • Volumetric & denial-of-service. Any test that intentionally degrades availability, exhausts rate limits at scale, or generates billing impact for us or our vendors. Use a single test account and modest request volume.
  • Spam and content reports. Issues that are content-related rather than security-related (typos, copy mistakes, etc.).
  • Best-practice-only findings without a concrete impact. Missing security headers, outdated TLS cipher suites that no current client uses, weak DMARC on marketing domains, "X-Powered-By" disclosure, etc. — file these by all means, but expect them to be closed as informational unless paired with an impact story.
  • Self-XSS, clickjacking on pages without sensitive actions, CSRF on authenticated forms where we already have mitigations, missing rate limit on a non-sensitive endpoint.
  • Vulnerabilities only exploitable on rooted, jailbroken, or otherwise compromised devices.
  • Reports generated by automated scanners without manual verification or exploit reproduction steps.

4. Rules of engagement (safe harbor)

If your research follows the rules below, Sigrel will not bring or support a civil or criminal action against you under the Computer Fraud and Abuse Act, the DMCA, or equivalent state laws, for activity that we authorise here. We consider research conducted under this policy to be authorised access. We will make a good-faith effort to protect your safe harbor against third parties who attempt to use our service or your report against you.

The rules:

  • Use test accounts only. Sign up with a throwaway email and only interact with your own data. Do not access or attempt to access other users' accounts, data, or identifiers.
  • Stop and report the moment you encounter user data that is not yours. Do not enumerate, exfiltrate, or store it beyond what is strictly needed to demonstrate the issue. Redact what you keep.
  • No destructive actions. Do not delete, modify, or interfere with other users' data or service availability.
  • Reasonable volume only. One or two test accounts and tens of requests, not thousands.
  • Give us time before public disclosure. See Section 7.
  • Comply with the law. Safe harbor covers good-faith research; it does not cover unrelated criminal activity.

5. How to report

Email us at security@sigrel.com. A PGP key for encrypted submissions is published at https://sigrel.com/.well-known/security.txt (forthcoming — until that file is live, plain email over TLS is acceptable). We will publish a key fingerprint here once the key is in place.

A helpful report includes:

  • A clear description of the issue and the impact.
  • Reproduction steps — exact URLs, request bodies, payloads, headers — with screenshots or a short video where helpful.
  • The account, IP, and rough time window you tested from.
  • Any redacted evidence (logs, response bodies) that demonstrates the issue.
  • How you would like to be credited if we acknowledge the report publicly.

6. What you can expect from us

  • Acknowledgement within 3 business days.
  • Initial triage within 7 business days, with a severity assessment and a target remediation window.
  • Status updates at meaningful milestones (root-cause analysis confirmed, fix deployed to staging, fix deployed to production).
  • Public credit, if you want it. We maintain a Security Acknowledgements page (forthcoming) and we will credit valid reports there with your chosen handle or name.
  • A direct line to our security engineers throughout the disclosure process.

7. Coordinated disclosure

Please give us a reasonable opportunity to fix issues before public disclosure. As a default, we ask for 90 days from the time of acknowledgement, or until a fix is deployed and customers have had a chance to update where applicable — whichever is shorter. We will not threaten or pursue legal action over a published report that follows this timeline.

If a critical issue is being actively exploited or poses imminent harm to users, we may ask for an accelerated fix-then-disclose timeline. We will not ask you to suppress a report indefinitely.

8. Compensation

Sigrel does not currently operate a paid bug-bounty program. We offer:

  • Public acknowledgement (with your chosen handle / link).
  • Sigrel swag (stickers, tees) on request for accepted reports.
  • Lifetime Pro-tier access for material findings, at our discretion.

If we launch a paid program later, this page will be the canonical home for program terms.

9. Things we will not do

  • Demand a non-disclosure agreement before you tell us about a vulnerability.
  • Bill you for service usage you incurred in good-faith research within the limits of Section 4.
  • Report you to your employer or to law enforcement for research that follows this policy.

10. Contact

Security reports: security@sigrel.com.
Press and general security questions: hello@sigrel.com.

Sigrel is operated by Stelviq Holdings LLC, a Delaware limited liability company.

Responsible Disclosure — Sigrel — Sigrel