Overview
Sqreen respects your privacy and takes significant efforts to protect all your data.
We are product security nerds. Transparency and responsiveness are part of our key values. We care about developers protection, and we are developers ourselves. Making products safer can't be achieved without the community!
Sqreen supports responsible disclosure of vulnerabilities. We encourage all of you to report security issues to security@sqreen.io.
Keeping our customers' data protected is the most important thing that Sqreen does.
As you continue to learn more about Sqreen, we recommend you to review our Terms of Service and Privacy Policy.
Security Team
Our team has played lead roles in designing and building highly secure Internet facing systems at companies ranging from startups to large public companies like Apple, Airbus and security consulting companies.
Best Practices
- All of our services run in the cloud. Sqreen does not host or run its own routers, load balancers, DNS servers, or physical servers.
- Our services and data are hosted in Amazon Web Services (AWS) facilities in Europe (other zones are available on Enterprise plans on request). Sqreen services have been built with resilience and principle of least privilege in mind.
- Our servers are within our own virtual private cloud (VPC) with network access control lists (ACL’s) and no public IP addresses that prevent unauthorized requests getting to our internal network.
Application Protection
- We of course use Sqreen to protect our application and customers at runtime.
- Sqreen blocks a wide range of attacks: SQL injections, NoSQL injections, Cross-site scripting (XSS) attacks, Shell & Code injections, Security Bots and Scanners etc.
- Sqreen will also detect suspicious user activities to help us identify attackers early and avoid breaches.
Authentication
- Sqreen is served 100% over HTTPs and runs a zero-trust corporate network.
- We have two-factor authentication (2FA) and strong password policies on all our 3rd party services to ensure access to cloud services are well protected.
Admin Controls
Only a small restricted subset of Sqreen employees have access to our customer data.
Application Monitoring
- We produce audit logs for all activity, ship logs to loggly for analysis, and use S3/Glacier for backup purposes.
- All access to Sqreen applications is logged and audited.
- Bastion hosts are used to login to isolated services.
- All actions taken on production consoles or in the Sqreen application are logged.
Compliance
Sqreen complies with EU-U.S. Privacy Shield Framework regarding the collection, use, and retention of personal information from European Union member countries.
PCI Obligations
Sqreen is not subject to PCI obligations. All payment instrument processing is outsourced to Stripe.
Responsible disclosure
Coverage
*.sqreen.io and vulnerabilities discovered into Sqreen Agents.
Exclusions
- blog.sqreen.io
- doc.sqreen.io
- status.sqreen.io
- support.sqreen.io
Please do
Accepted vulnerabilities are the following:
- Cross-Site Scripting (XSS)
- Open redirect
- Cross-site Request Forgery (CSRF)
- Command/File/URL inclusion
- Authentication issues
- Code execution
Please don't
This bug bounty program does NOT include:
- Logout CSRF
- Denial of Service (DoS)
- Social engineering
- 3rd party cookies
Rewards
All of you reporting issues will be credited on our Hall of Fame. And we will be super glad to:
- Offer a 12 month premium subscription for you or one of your customers, friends or family members
- Send you a package of special Sqreen hunter goodies - shipped only to security researchers helping us to make Sqreen safer
- Credit your findings on our Hall of Fame