Security Reporting

Our Commitment

At TouchSource, the security of our clients’ data and the integrity of our digital signage solutions are of paramount importance. We welcome and appreciate the disclosure of any vulnerabilities you may discover in our Spark PX platform or media players.

We treat each security report with the utmost seriousness. We commit to prompt communication while we investigate the potential impact on our customers and will take necessary steps to remediate any confirmed issues.

We uphold the principles of Responsible Disclosure, including but not limited to:

  • Making every effort to avoid accessing data of other users, and avoiding disruption of our services.
  • Adhering to our Terms of Service.
  • Refraining from public disclosure of any vulnerability until TouchSource has had reasonable time to resolve or mitigate the issue.

Additionally, we ask that you avoid any social engineering or phishing attempts on our customers or employees, and refrain from physically accessing any of our properties or media players.

If you follow these responsible disclosure guidelines, we commit to:

  • Treating each report with the utmost seriousness and urgency.
  • Communicating promptly and working with you to understand and resolve the issue.
  • Providing recognition for your contribution to our security, if desired.

While TouchSource does not currently operate a bug bounty program, we may choose to offer a reward for significant security reports at our discretion.

How to Report an Issue

Please contact [email protected] with details of the issue.
Include at least the following information:

  1. A clear description and your assessment of the severity of the issue.
  2. Detailed steps to reproduce the issue.
  3. Any sensitive information you may have inadvertently accessed during your research.

If you need to provide sensitive data or credentials in your report, please inform us, and we will provide you with a public GPG key for encryption.

Reports We Are Interested In

We are interested in any reports that affect the security of our Spark PX platform, our media players, or our clients’ data. This includes, but is not limited to:

  • Vulnerabilities in our cloud-based platform
  • Security issues with our media player devices
  • Potential data exposure or unauthorized access
  • Authentication or authorization flaws

What We’re Not Looking For

We are not interested in reports of:

  • Common non-vulnerabilities, such as those listed here: https://bughunters.google.com/learn/invalid-reports/5374985771941888/about-this-section
  • Issues that are not exploitable in real-world scenarios
  • General security best practice concerns (e.g., password policy suggestions)
  • Results from automated vulnerability scans without manual verification
  • Social engineering or phishing attack scenarios
  • Issues related to extracting data using already compromised devices or credentials

If you’re unsure whether an issue falls within our scope, please don’t hesitate to reach out to us for clarification.

We appreciate your commitment to security and thank you for helping us maintain the highest standards of protection for our clients and their users.