Critical security feature: Clearly show email of the person who prepared the contract to prevent fishing attack
We use PandaDoc to sign documents with contractors, vendors, etc. Typically someone from the team prepares the contract and then the management (often me) gets an email with a request to sign, sign it and that's it.
The problem is, that there is no way for management to verify, who actually created the contract. There is just the name of that person but no email! This creates a simple attack vector - anyone with PandaDoc can now change their name to match someone from another company, create an arbitrary contract, send it to some person from that company and have them sign it, because they just blindly trust the contract by seeing the name of the person who created it. Extremely simple phishing attack!
Imagine the headlines on Hacker News if this happened: "PandaDoc enabling fishing attacks by spoofed contracts"
[not provided]
shared this idea
