Collect
Client intake without the friction.
Connect
Auto-extract into UltraTax, Lacerte, Drake.
Deliver
8879 e-sign + payment in one flow.
About Soraban
Who we are and why we build.
Life at Soraban
Team, culture, and open roles.
Careers
Open roles and working at Soraban.
Integrations
Security
Firm Stories
How firms use Soraban in practice.
Blog
Insights from the Soraban team.
Log InRequest a Demo
SECURITY

Responsible Disclosure Policy

Version 1.0 · Latest update: 8/11/2025

At Soraban, protecting customer data — especially the sensitive financial information our customers entrust to us — is a top priority. We conduct regular internal security reviews, testing, and quality checks to identify and address risks before they can impact our customers. We also welcome responsible security research and appreciate reports of potential vulnerabilities in our systems.

If you are a security researcher and have identified a security issue in any Soraban service, please follow this policy when reporting it. Following this process helps us protect our customers, meet our compliance obligations, and recognize your efforts.

Safe Harbor. We provide Safe Harbor for vulnerability reports submitted in accordance with this policy. This means Soraban will not pursue or support legal action against you for your research, provided you act in good faith.

Rules of Engagement

When conducting security research on Soraban systems:

  • Do not perform actions that could disrupt our services, including denial-of-service (DoS) or brute-force attacks.
  • Do not spam, phish, or use social engineering against Soraban employees or customers.
  • Do not attempt to access, modify, or delete customer data.
  • Limit testing to your own accounts or accounts you have explicit permission to test.
  • Use only methods that avoid harm to Soraban, our customers, or our partners.

How to Report a Vulnerability

Send reports to security@soraban.com with:

  1. A clear description of the vulnerability.
  2. Step-by-step instructions to reproduce it.
  3. Any relevant proof-of-concept code or screenshots.
  4. Your contact information for follow-up.

After You Report

When you report a vulnerability, Soraban will:

  1. Review and acknowledge the report as promptly as possible.
  2. Investigate and attempt to reproduce the reported issue.
  3. Communicate with you during the process if additional details are needed or as progress is made.
  4. Offer credit for your contribution, with your consent, once the issue is addressed.
  5. Where appropriate, consider sharing information about the resolved issue publicly after remediation.

Out of Scope

The following are not considered vulnerabilities under this program:

  • DoS or brute-force attacks.
  • Issues requiring a jailbroken or rooted mobile device.
  • Clickjacking without demonstrated impact.
  • Cookies missing non-critical flags without security impact.
  • Findings that rely on outdated browsers or unsupported client software.