Security at Saber Feedback - Our approach and policy

Many companies say they take security seriously. In our case, we’d like to demonstrate this with concrete information.

• Security Audit
• EU General Data Protection Regulation (GDPR)
• Employee Access
• Infrastructure
• Backups
• Credit Card Data
• Responsible Disclosure

Security Audit

From time to time, we commission independent Internet security professionals to audit our security. We implement any findings and recommendations as a matter of priority.

EU General Data Protection Regulation (GDPR)

As we are based in Spain, which is in the European Union, we are regulated by the EU General Data Protection Regulation (GDPR). We abide fully by the EU GDPR. Read more about our GDPR compliance.

Employee Access

• Wherever possible, we use two-factor authentication (2FA) to restrict access to our IT infrastructure and to customer data.
• Each team member is supplied with a password manager application to ensure that we all use strong, unique passwords for each service we use.
• When an individual ceases working with us, we revoke their access to all services.

Infrastructure

The Saber Feedback application is hosted on Linode. We regularly audit our use of Linode. We regularly check our server logs for suspicious activity.

Our database is hosted on Linode.

Linode offers a choice of geographic regions. The Linode region we use is in Germany, a European Union member state. We store production data solely within the European Union.

Our web application only accepts and transmits traffic over HTTPS.

Backups

We take frequent backups and regularly ensure that a recent backup can be restored. Access to backups is guarded with a combination of 2FA, password managers, encryption at rest, and tight access rules.

Credit Card Data

At no time do we store your credit card details on our servers. Our payment processors, FastSpring and Stripe, handle payment processing on our behalf. FastSpring and Stripe ensure that all relevant compliance, such as PCI, is met.

None of our staff, including management, have access to your credit card info.

Got questions about our security? Ask us at [email protected]

Responsible Disclosure

We welcome whitehat security researchers and will gratefully receive reports of suspected security problems.

We ask you to refrain from the following:

• attempts to modify or destroy data
• attempts to interrupt or degrade the services we offer to our customers
• attempts to execute a Denial Of Service (DOS) attack
• attempts to access a user’s account or data
• violating any applicable law

Acknowledgement Program

We don’t offer bug bounties. However we acknowledge contributions here on our site.

Only the first researcher to report a specific qualifying issue is eligible for acknowledgement. Whether an issue is a qualifying issue, as well as eligibility for acknowledgement, are decisions taken by us in our discretion.

We reserve the right to cancel this program at any time without notice.

Guidelines

In order to qualify for acknowledgement, please follow these guidelines when reporting issues:

• Report security issues via our security email address. The address is [email protected].
• Do not use automated scripts/tools without prior approval and scheduling. We understand the value of automated vulnerability detection scripts and software, but we ask you not to run automated scans of any kind without scheduling it with us in advance.
• Expect a followup within 24 hours on business days. We do our best to respond quickly. We take every report seriously, and if you don’t hear back promptly, it doesn’t mean that we’re ignoring it. It means that we didn’t receive it. If you don’t hear back within 24 hours on a business day, please drop us a reminder via our support email address, and we’ll make sure it hasn’t slipped through the cracks.
• Only test Saber Feedback systems. Systems hosted by third parties do not qualify for acknowledgement.
• Provide steps to reproduce the problem in our systems. Providing generic background information about a class of vulnerability without specific details about how our systems are vulnerable does not qualify for acknowledgement.
• Please do not share your research or findings publicly until we’ve had time to research and release a fix for the problem.

Vulnerabilities eligible for acknowledgement

• Arbitrary redirects
• Authentication or authorization flaws
• Circumventing of platform and/or privacy permissions
• Clickjacking
• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Privilege escalation
• Server-side code execution (RCE)
• SQL injection

Ineligible vulnerabilities

• Denial of Service (DoS)
• Issues with outdated or unpatched browsers
• Minor information disclosures (ex. server software/version)
• Spamming
• Vulnerabilities in third-party web sites and tools that integrate with Saber Feedback
• Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible to attack

How to report issues

Report security vulnerabilities to [email protected]. Once we’ve received your email, we’ll work with you to make sure we completely understand the scope of the problem and keep you informed as we work on the solution.