← Back to getsige.com
Security policy
Coordinated Vulnerability Disclosure (CVD) for Sige Software Solutions OPC ·
Last updated 2026-05-03 · Version 1.0
We take the security of getsige.com, the Sige Hub PWA,
and our Azure-hosted APIs seriously. If you have discovered a security
vulnerability, this page tells you how to report it responsibly.
1. Scope
This policy covers:
getsige.com and all subdomains
sigeph.com.ph, sigepilipinas.ph
- Sige PWA on production, staging, and test Azure environments
- Sige Insights Portal at
/insights
- Sige Admin Portal at
/admin
- Public-facing API endpoints under
/api/*
Out of scope:
- Third-party services we depend on (Azure, Google Gemini, Cloudflare, Open Food Facts) — please report directly to the vendor
- Social engineering of Sige staff or contractors
- Physical attacks against infrastructure
- Spam, content issues, or denial-of-service attacks
2. How to report
Contact us at
security@getsige.com
or, as a backup,
dev@van-wouw.com.
We accept reports in English, Tagalog, Cebuano, or Dutch.
Please include:
- A description of the vulnerability and its impact
- Steps to reproduce (URL, request, payload)
- Any proof-of-concept or screenshots
- Your name or handle for acknowledgment (optional)
3. What you may do
- Test against your own account or test data only
- Stop testing as soon as you have demonstrated impact
- Avoid actions that degrade service for other users (rate-limit floods, DoS, automated scans at high volume)
- Avoid accessing, copying, modifying, or destroying personal data of other users
- If you accidentally encounter PII, stop, do not store it, and report immediately
4. What we promise
- We will acknowledge your report within 5 business days
- We will keep you informed of progress until the issue is resolved
- We will not pursue legal action against good-faith researchers who follow this policy
- With your consent, we will credit you in our acknowledgments
- For valid critical findings (RCE, data exfiltration, auth bypass), we aim to deploy a fix within 14 days
5. No bug bounty (yet)
Sige is a self-funded Filipino startup. We do not currently offer
monetary rewards. We do offer public credit, swag where
feasible, and our genuine thanks.
6. PII and DPA-compliance
Sige processes Filipino personal data under the
Data Privacy Act (RA 10173). If your finding involves
a personal data breach as defined by NPC Circular 16-03, we will
coordinate with you on responsible disclosure and notify the
National Privacy Commission within 72 hours per legal requirement.
See our
privacy policy
for our data-handling practices.
7. Hall of fame
With the researcher's consent, we list valid contributors below.
No findings yet — be the first.
8. References
Sige Software Solutions OPC · SEC registered, Digos City, Davao del Sur, Philippines ·
About ·
Privacy ·
security@getsige.com