Vulnerability disclosure

We appreciate the work of security researchers and customers who report vulnerabilities to us. If you believe you've found a security issue in an OptiSigns product or service, we want to hear from you — and we commit to taking your report seriously.

Reporting a vulnerability

Email security@optisigns.com. Reports go directly to our security owner and are triaged through our documented incident-response process — vulnerability reports are never handled as ordinary support tickets.

We acknowledge reports within 5 business days and keep you informed as we triage, remediate, and validate. Confirmed issues are classified by severity and tracked to resolution.

What to include

  • A description of the issue and where you found it.
  • Steps to reproduce it.
  • The potential impact.
  • Screenshots, request/response samples, or proof-of-concept detail where it helps.

Scope

In scope: the OptiSigns platform and services — the web portal, our APIs, the player applications, and OptiSigns first-party devices (Pro Player, OptiStick).

Ground rules

  • Do not access, modify, or delete data that is not yours — if a proof of concept would touch another customer's data, stop and report what you have.
  • Do not degrade the service: no denial-of-service testing, spam, or social engineering of OptiSigns staff or customers.
  • Test only against accounts you own or are authorized to use.
  • Give us reasonable time to remediate before any public disclosure.

Safe harbor

We will not pursue legal action against researchers who act in good faith: make an effort to avoid privacy violations, data destruction, and service disruption; access only the minimum data needed to demonstrate the issue; and give us a reasonable opportunity to remediate before any public disclosure. Work within this policy and we consider your research authorized.

What we don't do

OptiSigns does not operate a public bug bounty program today, and we don't offer monetary rewards for reports. What we do offer: a direct line to the people who fix things, prompt acknowledgment, and honest follow-through — the same discipline behind our annual third-party penetration test, whose most recent round ended with all findings remediated and validated.

This policy is mirrored in machine-readable form at /.well-known/security.txt.