Security

More people, more secure

Overview

Sqreen respects your privacy and takes significant efforts to protect all your data.

We are product security nerds. Transparency and responsiveness are part of our key values. We care about developers protection, and we are developers ourselves. Making products safer can't be achieved without the community!

Sqreen supports responsible disclosure of vulnerabilities. We encourage all of you to report security issues to security@sqreen.io.

Keeping our customers' data protected is the most important thing that Sqreen does.

As you continue to learn more about Sqreen, we recommend you to review our Terms of Service and Privacy Policy.

Security Team

Our team has played lead roles in designing and building highly secure Internet facing systems at companies ranging from startups to large public companies like Apple, Airbus and security consulting companies.

Best Practices

  • All of our services run in the cloud. Sqreen does not host or run its own routers, load balancers, DNS servers, or physical servers.
  • Our services and data are hosted in Amazon Web Services (AWS) facilities in Europe (other zones are available on Enterprise plans on request). Sqreen services have been built with resilience and principle of least privilege in mind.
  • Our servers are within our own virtual private cloud (VPC) with network access control lists (ACL’s) and no public IP addresses that prevent unauthorized requests getting to our internal network.

Application Protection

Sqreen | Runtime Application Protection

  • We of course use Sqreen to protect our application and customers at runtime.
  • Sqreen blocks a wide range of attacks: SQL injections, NoSQL injections, Cross-site scripting (XSS) attacks, Shell & Code injections, Security Bots and Scanners etc.
  • Sqreen will also detect suspicious user activities to help us identify attackers early and avoid breaches.

Data

Please refer to our privacy policy for more details.

Authentication

  • Sqreen is served 100% over HTTPs and runs a zero-trust corporate network.
  • We have two-factor authentication (2FA) and strong password policies on all our 3rd party services to ensure access to cloud services are well protected.

Admin Controls

Only a small restricted subset of Sqreen employees have access to our customer data.

Application Monitoring

  • We produce audit logs for all activity, ship logs to loggly for analysis, and use S3/Glacier for backup purposes.
  • All access to Sqreen applications is logged and audited.
  • Bastion hosts are used to login to isolated services.
  • All actions taken on production consoles or in the Sqreen application are logged.

Compliance

Sqreen complies with EU-U.S. Privacy Shield Framework regarding the collection, use, and retention of personal information from European Union member countries.

PCI Obligations

Sqreen is not subject to PCI obligations. All payment instrument processing is outsourced to Stripe.

Bug Bounty

Coverage

*.sqreen.io and vulnerabilities discovered into Sqreen Agents.

Exclusions

  • blog.sqreen.io
  • doc.sqreen.io
  • status.sqreen.io
  • support.sqreen.io

Please do

Accepted vulnerabilities are the following:

  • Cross-Site Scripting (XSS)
  • Open redirect
  • Cross-site Request Forgery (CSRF)
  • Command/File/URL inclusion
  • Authentication issues
  • Code execution

Please don't

This bug bounty program does NOT include:

  • Logout CSRF
  • Denial of Service (DoS)
  • Social engineering
  • 3rd party cookies

Contact information

Please, provide us with severity, details, steps to reproduce.
Your reports will be investigated with the highest priority for us. We encourage all of you to report security issues!

security@sqreen.io