Updated at: Jul 2, 2024
Our entire system: the website, the API, our developers site and all the extra services we've built to make everything work have been built from Day 1 to be secure and stable. Security best practices are used everywhere. Some of these include:
Also, one of our primary goals of the site is encouraging everyone to always use an up to date web browser for the security benefits that provides.
We don't have an official bug or security bounty program at the moment, but if, in normal use of the site, you find a serious security issue, we'd love to send you some vinyl laptop stickers to say thanks.
We believe in responsible disclosure; if you find a problem, please give us time to acknowledge and fix it. We would love to acknowledge your help. If you find a problem, please let us know, we won't be mad.
In May 2024, Parth Narula volunteered to perform a security audit on the site. He found that some email clients will convert a URL in the Contact Name field of the API sign up form into a clickable link in the welcome email. Additionally, he found that a Contact Name that looked like a domain name with more than one period (eg example.com.au) would be converted into a clickable link by some email clients, which could potentially be used to send malicious and deceptive links to people in the API Welcome Email. We added checks to the API Sign Up Form to prevent URL-like fragments from being accepted into fields that shouldn't normally have them (First name, Company name, etc). Thankyou Parth.
To report security problems, please use our Contact Us page.
If you have any suggestions or comments, we'd love to hear them.
Thanks, and stay safe.