Security

Updated at: Jul 2, 2024

Our entire system: the website, the API, our developers site and all the extra services we've built to make everything work have been built from Day 1 to be secure and stable. Security best practices are used everywhere. Some of these include:

  • all user submitted content (including from XHR) are validated and not blindly trusted
  • we log and inspect anomalous events
  • we use password managers and don't reuse passwords
  • firewalls are in place, SSH connections must come from approved IPs
  • we keep software up to date; both the software used on development machines, and the various daemons and libraries on the servers
  • we regularly purge our database of identifying information (emails, IP Addresses etc)
  • we don't collect more info than we need to
  • we keep current with security news and trends
  • internal data transfers between servers are done via https and are protected by authentication keys
  • so on and so on.

Also, one of our primary goals of the site is encouraging everyone to always use an up to date web browser for the security benefits that provides.

Bug Bounty

Policy

We don't have an official bug or security bounty program at the moment, but if, in normal use of the site, you find a serious security issue, we'd love to send you some vinyl laptop stickers to say thanks.

We believe in responsible disclosure; if you find a problem, please give us time to acknowledge and fix it. We would love to acknowledge your help. If you find a problem, please let us know, we won't be mad.

What we want to know

  • if we are leaking information that we shouldn't (particularly about other people who have also used our services) (except for the Unique Browser URLs, which don't reveal full IP addresses and are intended to be shared)
  • if there is a way to inject invalid information into our services (for example, the Unique Browser URL system takes an XHR request a few seconds after the page is loaded - it doesn't blindly trust the info, it validates it.)
  • if there is a way to access or modify our systems without our consent

What we don't want to know

  • DDOSs and the like are not security vulnerabilites, they are just illegal.
  • Our passwords for the various services we use are generated by password managers, are at least 32 characters long and are alpha/numeric/symbol based. Don't bother trying to crack them.

Acknowledgements

In May 2024, Parth Narula volunteered to perform a security audit on the site. He found that some email clients will convert a URL in the Contact Name field of the API sign up form into a clickable link in the welcome email. Additionally, he found that a Contact Name that looked like a domain name with more than one period (eg example.com.au) would be converted into a clickable link by some email clients, which could potentially be used to send malicious and deceptive links to people in the API Welcome Email. We added checks to the API Sign Up Form to prevent URL-like fragments from being accepted into fields that shouldn't normally have them (First name, Company name, etc). Thankyou Parth.

Reporting security problems

To report security problems, please use our Contact Us page.

If you have any suggestions or comments, we'd love to hear them.

Thanks, and stay safe.