Confidentiality
DO NOT access any secret, proprietary or personal data belonging to any organization, it’s employees or users.
Making the Internet dependable
Every day, hordes of criminal hackers scan live websites and services.
SIN-PI is an attempt at beating them to the punch, at scale.
SIN-PI is a communication platform between goodhearted independent cyber-security researchers and vulnerable organizations. It was established to encourage independent reporting of security issues in Internet services and portals, and to ensure they get proper attention and correct resolution.
SoftSeq uses business channels to communicate the findings in full, free of any charge or commitment, directly to top management of the vulnerable organizations.
SoftSeq does NOT share SIN-PI submissions with any 3rd parties, at any time, unless explicitly required by law.
About the initiative
SIN-PI vulnerability discovery is crowd-sourced by volunteering cyber-security experts.
All vulnerability submissions are from security experts independent in their research from SoftSeq.
SoftSeq does NOT bear any affiliation with the researchers who submit the discovered vulnerabilities to SIN-PI.
SoftSeq may not be held liable for any damages resulting from independent security research.
SoftSeq only role in SIN-PI is communicating independent security findings to the vulnerable parties.
Guidelines for researchers
Information below is only recommendations since SoftSeq is NOT associated with any security researches participating in SIN-PI, and has no control over their actions or lack thereof.
SoftSeq requests that all information submitted to SIN-PI must be acquired lawfully. It’s up to independent researchers to ensure their actions break no laws of any jurisdiction involved.
SoftSeq condemns and discourages inflicting any kind of damage or service disruption on systems being assessed.
Don't be evil, do NO harm.
Integrity
DO NOT modify, change or corrupt any data belonging to any organization, it’s employees or users.
Availability
DO NOT stress-test availability of any systems.
DO NOT use ANY automated security testing software as it may render the target system unstable in unforeseen ways.
Reputation
Everyone makes mistakes. Respect responsible disclosure rules.
Adhere to US-CERT responsible disclosure framework.
SoftSeq will NOT share any vulnerability information with any 3rd parties, at any point in time, unless explicitly required by law.
SoftSeq kindly requests researchers to adhere to 45 day “no adequate response” vulnerability disclosure of US CERT. SoftSeq shall keep researchers informed of the affected vendor’s vulnerability handling progress.
SoftSeq does NOT own any rights to information about discovered vulnerabilities. Ownership rights over all information submitted to SIN-PI are reserved by the security researchers who discovered them.
Please remember that you bear sole responsibility for your actions against any target systems.
Read US CFAA and act in a manner that violates none of it’s paragraphs – specifically, ensure you’re causing no direct or indirect damage. Once a vulnerable point is identified, do NOT use it to further your access or knowledge about the system (e.g. if a quote character causes an SQL error, do NOT try to build a Proof Of Concept code using it).
SoftSeq will ban researchers neglecting these guidelines from further submitting vulnerabilities to SIN-PI.
Researchers may be rewarded
- By assisted party
Shall a contacted organization desire to financially reward a researcher, it will be arranged with zero commission for SoftSeq – SIN-PI is not run for profit.
- By SoftSeq
Shall SIN-PI happen to result in SoftSeq signing up any contacted organization for security engineering services, it will reward the researchers involved.