Security

This page outlines the security practices implemented by Conference Badge. For any question, please contact us at [email protected].

Our security.txt can be found here.

Infrastructure

Our service is built on Heroku and Amazon Web Services, which implement strong security measures and are compliant with most certifications. You can read more about the practices of each:

• Heroku

• Amazon Web Services

Encryption

AT REST
All data stored in our database and cloud storage is encrypted at rest.

IN TRANSIT

All connections to your website are encrypted using TLS (Transport Layer Security). This also applies to connections between our servers and third parties such as Eventbrite and Universe.

Vulnerability disclosure

We encourage responsible disclosure of vulnerabilities found on our website. To report vulnerabilities, email us at [email protected] with a detailed description so we can understand and fix the vulnerability promptly.

We ask you to not publicly disclose vulnerabilities until they are fixed. We offer rewards based on the criticality of each vulnerability.

Exclusions (out-of-scope reports)

The following are excluded from our vulnerability disclosure program. We offer no reward for reports in these categories.

• Rate limit on signup, login and password reset endpoints
  We do have rate limits in place; they simply return 302 status codes instead of 429, which often are not properly detected by automatic vulnerability scanning tools.

• Email verification at signup

• EXIF metadata not stripped from uploaded images

• TLS versions and ciphers

• Missing DKIM, SPF or DMARC records

• Missing DNSSEC

• Password complexity

• “Back” button that keeps working after logout

• Outdated versions of JavaScript libraries such as jQuery

• Stored XSS on CDN / third-party domains like .twilio.com

• Reports affecting the help.conferencebadge.com subdomain

GDPR

Conference Badge is compliant with the GDPR (General Data Protection Regulation).

Payment information

Payments made through our service are processed by Stripe which is certified as a PCI Level 1 Service Provider. We do not store payment information in our infrastructure.

Past incidents

October 18, 2019 Read more information on this page.

This document was last updated on December 14, 2020