We understand the importance of reliability and security when it comes to
tracking bugs and issues, and we’re serious about the safety and security of
- Safety & Security
- Performance & Availability
- Responsible Disclosure
- Acknowledgement Program
- Reporting Issues
Of course, if you have any questions or concerns, please don’t hesitate to
Safety & Security
Security is always on our mind, and we spend quite a bit of our time and
attention making sure that we’re doing everything possible to protect your
- Full-time SSL Security In order to provide the highest level of transactional security and protect from session-hijacking, every page and account is served over SSL. Check Sifter’s SSL rating at Qualys.
- Database replication All data in Sifter is fully replicated with a master/slave database setup.
- Hourly On-site Backups In addition to database replication, we keep hourly database snapshots for the last 24 hours.
- Daily Off-site Backups In the extreme case that our primary data center experiences a catastrophe, we keep full backups encrypted offsite using Amazon S3. We maintain snapshots of the last 7 days, and last 4 weeks.
- Quarterly Security Screens Our systems undergo quarterly security screens by Security Metrics to ensure that we’re current on all software updates and security best practices.
- PCI Level 4 Compliant. We never store any of your credit card information. We send all credit card data to our merchant provider, Braintree, to store all credit card information in their PCI-compliant virtual vault.
Performance & Availability
We view performance and availability as key features of Sifter. We have
redundant monitoring tools set up, and we’re always working proactively to
keep things running smoothly.
- 99.96% Uptime since 2008 Our uptime is monitored by Pingdom, and we make our full historical uptime reports available at availability.sifterapp.com at all times.
- Redundant Environment Sifter runs on a load-balanced redundant environment to ensure high availability and performance at all times.
- Performance Monitoring In addition to uptime, we also closely monitor Sifter’s performance and response times using New Relic.
Despite all of our efforts, we recognize that we’re not perfect and that
security researchers can help ensure that we are. We welcome and support
whitehat security researchers, and we don’t involve lawyers with any
responsible research and disclosure. However, we will not tolerate any of the
following, which will always be reported to the relevant authorities:
- Any attempt to modify or destroy data
- Any attempt to interrupt or degrade the services we offer to our customers
- Any attempt to execute a DoS attack
- Any attempt to access a user’s account or data
- Any research that involves violation of applicable laws
We do not offer bug bounties or rewards, but we do acknowledge contributions
here on our site if you follow our guidelines for testing and reporting
vulnerabilities. Please make sure to follow these guidlines, not only to be
eligible for acknowledgement, but also to both help you focus your efforts and
help us protect our customers and their data while you are testing.
Only the first researcher to report a specific qualifying issue is eligible
for acknowledgement. Whether or not an issue is a qualifying issue, as well
as eligibility for acknowledgement, are decisions taken by us in our
discretion. We reserve the right to cancel this program at any time without
In order to qualify for acknowledgement, please use the following guidelines
when reporting issues. They help you avoid testing ineligible systems and
ensure your request doesn’t slip through the cracks as well as helping us keep
any requests for additional information to a minimum. If you have any
questions or concerns about these guidelines, please let us
- Please do not use automated scripts/tools without prior approval and scheduling. We understand the value of automated vulnerability detection scripts and software, but we have to ask that you not run automated scans of any kind without scheduling it with us in advance. These scripts violate our terms of service and can potentially affect our customers. If you use automated methods, we only ask that you contact us ahead of time to coordinate your efforts so that you can run the tests during off-peak hours and so we can keep an eye on things while your script is running. We’re flexibile and happy to work with you on this to minimize any potential impact on our customers.
- Please only report security issues via our security email address. In order to ensure the highest priority for your report, we ask that you make sure to report security problems using only our security email address. If you report them via other avenues, our response is more likely to be delayed.
- Expect a followup within 24 hours on business days. We do our best to respond quickly. Sometimes spam filters or other events get in the way, though. We take every report seriously, and if you don’t hear back promptly, it doesn’t meant that we’re ignoring it. It means that we didn’t receive it. If you don’t hear back within 24 hours on a business day, please drop us a reminder via our support email address or Twitter, and we’ll make sure that it hasn’t slipped through the cracks.
- Only test Sifter systems. Please only test for vulernabilities within Sifter systems. Systems hosted by third parties like help.sifterapp.com, status.sifterapp.com, availability.sifterapp.com, etc. do not qualify for acknowledgement.
- Please provide steps to reproduce the problem in our systems. Please include specific steps to reproduce the problem within in Sifter. Providing generic background information about a class of vulnerability without specific details about how our systems are vulnerable does not qualify for acknowledgement.
- Please wait to share your findings publicly. Please do not share your research or findings publicly until we’ve had time to research and release a fix for the problem.
- Provide clarification when requested. When you report an issue, we’ll always do our best to resolve any issues with minimal involvement on your part, but occasionally we need more information. Whether technical clarification or just a language barrier, we’ll do our best to keep requests for additional information to minimum.
- Please only report vulnerabilities from the list of eligible isues. While we’ll gladly accept reports for any vulnerabilities, only eligible vulnerabilities listed below qualify for inclusion in our acknowledgements.
- Arbitrary redirects
- Authentication or authorization flaws
- Circumventing of platform and/or privacy permissions
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Privilege escalation
- Server-side code execution (RCE)
- SQL injection
- Denial of Service (DoS)
- Issues with outdated or unpatched browsers
- Lack of CAPTCHA’s on forms
- Lack of the secure or HTTP-only flags on non-sensitive cookies
- Minor information disclosures (ex. server software/version)
- Lack of use of hardfail (-all) on SPF records
- Vulnerabilities in third-party web sites and tools that integrate with Sifter
- Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible to attack
We’ve set up a dedicated email address for you to securely contact us about
sensitive issues. Once we’ve received your email, we’ll work with you to make
sure that we completely understand the scope of the problem and keep you
informed as we work on the solution.
If you believe that you’ve found a security vulnerability in Sifter please
email us at [email
We deeply appreciate those that help us find and resolve security issues
responsibly. You make the web a safer place, and we think that’s awesome. The
following folks have worked to help us keep Sifter more safe and secure for
everyone. For that, we thank them.
If you believe that we forgot to add your name to this list for a previously
reported issue, please email our security
with some details about your vulnerability report, and we’ll look into it.
[DoS]: Denial of Service
[HTTP]: Hypertext Transfer Protocol
*[CAPTCHA]: Completely Automated Public Turing test to tell Computers and Humans Apart