Skip to main content

Draft — not legal advice. This document is published in good faith as Seald's working draft. It has not yet been reviewed by counsel and may change before becoming binding. If you are reviewing this on behalf of a customer, please contact legal@seald.nromomentum.com for the countersigned production version.

Version: responsible_disclosure_v0.1 · Last updated: 2026-04-30

Vulnerability Disclosure Policy

Seald, Inc. ("Seald", "we") welcomes security research that helps keep our customers and signers safe. This Vulnerability Disclosure Policy ("VDP") explains what is in scope, what is out of scope, the rules of engagement, the safe-harbor we offer to good-faith researchers, and how to reach us. It supplements our Acceptable Use Policy and our Terms of Service.

1. How to report

Send your report to security@seald.nromomentum.com. Use the subject line Security report — <short title>. A machine-readable copy of this contact information is published at /.well-known/security.txt per RFC 9116.

Please include:

  • A description of the vulnerability and its impact.
  • Reproduction steps, including any URL, payload, account, request/response, and screenshot needed to confirm the issue. Use a test account; do not use a real customer's account.
  • The minimum personal data necessary. Redact anything you do not need to send.
  • Your preferred contact details and whether you would like to be credited if we publish a write-up.

If you must encrypt the report, our PGP key is available at /.well-known/security-pgp-key.txt when published. If we do not yet have a key, please tell us and we will provide one within two (2) business days.

2. Our response timelines

For reports received in good faith and following the rules below:

  • Acknowledgement — within two (2) business days.
  • Triage decision (in scope / out of scope, severity) — within ten (10) business days.
  • Status updates — at least every fourteen (14) days while the report is open.
  • Fix targets — Critical: 30 days; High: 60 days; Medium: 90 days; Low: best effort. The clock starts when we accept the report.
  • Public disclosure — coordinated with the reporter; ordinarily we ask for ninety (90) days from acknowledgement before public disclosure, with extensions for complex remediation.

If we decide a report is out of scope, we will tell you why so you can decide whether to escalate.

3. Scope

3.1 In scope

  • seald.nromomentum.com (marketing site and web application surfaces).
  • api.seald.nromomentum.com (the Seald API).
  • The signing flow at seald.nromomentum.com/sign/…, including the recipient signing experience, audit trail, and Certificate of Completion generation.
  • Cryptographic correctness of PAdES-LT seals issued by the Service.
  • Authentication, account, billing, and access-control surfaces.
  • Mobile-web rendering of the above surfaces.

3.2 Out of scope

  • Findings against third-party services we list as Sub-processors — please report those upstream.
  • Reports that are based on output from automated scanners without a working proof of concept.
  • Self-XSS, social-engineering of Seald staff or customers, physical attacks on Seald or supplier facilities, denial-of-service of any kind, and rate-limit / brute-force testing without our prior written permission.
  • Missing security headers, cookie-attribute findings, TLS configuration scoring, banner-grab fingerprints, and similar non-impact findings unless paired with a demonstrable security consequence.
  • Findings that require root/jailbreak on a victim's device, or a malicious browser extension already running with the victim's full privileges.
  • Best-practice or hardening suggestions without an exploitable consequence (we welcome them, but they are not eligible for the safe-harbor).

4. Rules of engagement

  • Test only against accounts you control. Do not access, modify, or destroy any account, document, or signature that is not yours.
  • Do not exfiltrate personal data, document content, or signature material. If you accidentally encounter it, stop, delete it from your systems, and tell us in your report.
  • Do not run automated scanners against the production Service without our prior written permission. If you need to test at scale, contact us first and we will arrange a sandbox.
  • Avoid privacy violations, degradation of the Service, and disruption to other users. If your testing causes an outage, stop testing and tell us immediately.
  • Do not use the report contact channel for unrelated disputes, support requests, or marketing.

5. Safe-harbor

If you make a good-faith effort to comply with this VDP — particularly Sections 3 (Scope) and 4 (Rules of engagement) — Seald will not initiate or recommend a civil claim against you for your security research, and we will treat your activities as authorized for purposes of the U.S. Computer Fraud and Abuse Act (18 U.S.C. § 1030), the Digital Millennium Copyright Act anti-circumvention provisions (17 U.S.C. § 1201) for technical measures protecting our systems, and applicable state computer-misuse laws.

This safe-harbor extends only to Seald's claims; it does not bind third parties (including our Sub-processors) and it does not waive any rights of any other party. If a third party initiates an action against you for activities that you conducted in compliance with this VDP, we will make our authorization known where we can.

If you are unsure whether your planned testing is consistent with this VDP, ask first at security@seald.nromomentum.com. We would rather discuss it than lose the chance to help you stay safe.

6. Recognition and rewards

We do not currently operate a paid bug-bounty program. We acknowledge researchers in our security-changelog when a finding is fixed and the reporter consents to be named. We may, at our discretion, offer Seald swag, account credits, or a written reference.

8. Changes to this Policy

We will update this Policy as our scope, response capacity, or safe-harbor commitments change. The version line at the top of this page reflects the latest revision. Material changes (changes to scope or safe-harbor) will be announced on the Seald blog and in our Trust Center.

9. Contact

Reports
security@seald.nromomentum.com
Machine-readable contact
/.well-known/security.txt
General legal
legal@seald.nromomentum.com