We understand the importance of reliability and security when it comes to tracking bugs and issues, and we’re serious about the safety and security of your data.
Of course, if you have any questions or concerns, please don’t hesitate to get in touch.
Safety & Security
Security is always on our mind, and we spend quite a bit of our time and attention making sure that we’re doing everything possible to protect your data.
- Full-time SSL Security In order to provide the highest level of transactional security and protect from session-hijacking, every page and account is served over SSL. Check Sifter’s SSL rating at Qualys.
- Database replication All data in Sifter is fully replicated with a master/slave database setup.
- Hourly On-site Backups In addition to database replication, we keep hourly database snapshots for the last 24 hours.
- Daily Off-site Backups In the extreme case that our primary data center experiences a catastrophe, we keep full backups encrypted offsite using Amazon S3. We maintain snapshots of the last 7 days, and last 4 weeks.
- Quarterly Security Screens Our systems undergo quarterly security screens by Security Metrics to ensure that we’re current on all software updates and security best practices.
- PCI Level 4 Compliant. We never store any of your credit card information. We send all credit card data to our merchant provider, Braintree, to store all credit card information in their PCI-compliant virtual vault.
Performance & Availability
We view performance and availability as key features of Sifter. We have redundant monitoring tools set up, and we’re always working proactively to keep things running smoothly.
- 99.96% Uptime since 2008 Our uptime is monitored by Pingdom, and we make our full historical uptime reports available at availability.sifterapp.com at all times.
- Redundant Environment Sifter runs on a load-balanced redundant environment to ensure high availability and performance at all times.
- Performance Monitoring In addition to uptime, we also closely monitor Sifter’s performance and response times using New Relic.
Responsible Disclosure
Despite all of our efforts, we recognize that we’re not perfect and that security researchers can help ensure that we are. We welcome and support whitehat security researchers, and we don’t involve lawyers with any responsible research and disclosure. However, we will not tolerate any of the following, which will always be reported to the relevant authorities:
- Any attempt to modify or destroy data
- Any attempt to interrupt or degrade the services we offer to our customers
- Any attempt to execute a DoS attack
- Any attempt to access a user’s account or data
- Any research that involves violation of applicable laws
Acknowledgement Program
We do not offer bug bounties or rewards, but we do acknowledge contributions here on our site if you follow our guidelines for testing and reporting vulnerabilities. Please make sure to follow these guidlines, not only to be eligible for acknowledgement, but also to both help you focus your efforts and help us protect our customers and their data while you are testing.
Only the first researcher to report a specific qualifying issue is eligible for acknowledgement. Whether or not an issue is a qualifying issue, as well as eligibility for acknowledgement, are decisions taken by us in our discretion. We reserve the right to cancel this program at any time without notice.
Guidelines
In order to qualify for acknowledgement, please use the following guidelines when reporting issues. They help you avoid testing ineligible systems and ensure your request doesn’t slip through the cracks as well as helping us keep any requests for additional information to a minimum. If you have any questions or concerns about these guidelines, please let us know.
- Please do not use automated scripts/tools without prior approval and scheduling. We understand the value of automated vulnerability detection scripts and software, but we have to ask that you not run automated scans of any kind without scheduling it with us in advance. These scripts violate our terms of service and can potentially affect our customers. If you use automated methods, we only ask that you contact us ahead of time to coordinate your efforts so that you can run the tests during off-peak hours and so we can keep an eye on things while your script is running. We’re flexibile and happy to work with you on this to minimize any potential impact on our customers.
- Please only report security issues via our security email address. In order to ensure the highest priority for your report, we ask that you make sure to report security problems using only our security email address. If you report them via other avenues, our response is more likely to be delayed.
- Expect a followup within 24 hours on business days. We do our best to respond quickly. Sometimes spam filters or other events get in the way, though. We take every report seriously, and if you don’t hear back promptly, it doesn’t meant that we’re ignoring it. It means that we didn’t receive it. If you don’t hear back within 24 hours on a business day, please drop us a reminder via our support email address or Twitter, and we’ll make sure that it hasn’t slipped through the cracks.
- Only test Sifter systems. Please only test for vulernabilities within Sifter systems. Systems hosted by third parties like help.sifterapp.com, status.sifterapp.com, availability.sifterapp.com, etc. do not qualify for acknowledgement.
- Please provide steps to reproduce the problem in our systems. Please include specific steps to reproduce the problem within in Sifter. Providing generic background information about a class of vulnerability without specific details about how our systems are vulnerable does not qualify for acknowledgement.
- Please wait to share your findings publicly. Please do not share your research or findings publicly until we’ve had time to research and release a fix for the problem.
- Provide clarification when requested. When you report an issue, we’ll always do our best to resolve any issues with minimal involvement on your part, but occasionally we need more information. Whether technical clarification or just a language barrier, we’ll do our best to keep requests for additional information to minimum.
- Please only report vulnerabilities from the list of eligible isues. While we’ll gladly accept reports for any vulnerabilities, only eligible vulnerabilities listed below qualify for inclusion in our acknowledgements.
Eligible Vulnerabilities
- Arbitrary redirects
- Authentication or authorization flaws
- Circumventing of platform and/or privacy permissions
- Clickjacking
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Privilege escalation
- Server-side code execution (RCE)
- SQL injection
Ineligible Vulnerabilities
- Denial of Service (DoS)
- Issues with outdated or unpatched browsers
- Lack of CAPTCHA’s on forms
- Lack of the secure or HTTP-only flags on non-sensitive cookies
- Minor information disclosures (ex. server software/version)
- Spamming
- Lack of use of hardfail (-all) on SPF records
- Vulnerabilities in third-party web sites and tools that integrate with Sifter
- Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible to attack
Reporting Issues
We’ve set up a dedicated email address for you to securely contact us about sensitive issues. Once we’ve received your email, we’ll work with you to make sure that we completely understand the scope of the problem and keep you informed as we work on the solution.
If you believe that you’ve found a security vulnerability in Sifter please email us at [email protected].
Acknowledgements
We deeply appreciate those that help us find and resolve security issues responsibly. You make the web a safer place, and we think that’s awesome. The following folks have worked to help us keep Sifter more safe and secure for everyone. For that, we thank them.
If you believe that we forgot to add your name to this list for a previously reported issue, please email our security address with some details about your vulnerability report, and we’ll look into it.