This page outlines the security practices implemented by Conference Badge. For any question, please contact us at firstname.lastname@example.org.
Our security.txt can be found here.
Our service is built on Heroku and Amazon Web Services, which implement strong security measures and are compliant with most certifications. You can read more about the practices of each:
All data stored in our database and cloud storage is encrypted at rest.
All connections to your website are encrypted using TLS (Transport Layer Security). This also applies to connections between our servers and third parties such as Eventbrite and Universe.
We encourage responsible disclosure of vulnerabilities found on our website. To report vulnerabilities, email us at email@example.com with a detailed description so we can understand and fix the vulnerability promptly.
We ask you to not publicly disclose vulnerabilities until they are fixed. We offer rewards based on the criticality of each vulnerability.
Exclusions (out-of-scope reports)
The following are excluded from our vulnerability disclosure program. We offer no reward for reports in these categories.
Rate limit on signup, login and password reset endpoints
We do have rate limits in place; they simply return 302 status codes instead of 429, which often are not properly detected by automatic vulnerability scanning tools.
- Email verification at signup
- EXIF metadata not stripped from uploaded images
- TLS versions and ciphers
- Missing DKIM, SPF or DMARC records
- Missing DNSSEC
- Password complexity
- “Back” button that keeps working after logout
- Stored XSS on CDN / third-party domains like .twilio.com
- Reports affecting the help.conferencebadge.com subdomain
Conference Badge is compliant with the GDPR (General Data Protection Regulation). See more information on our GDPR page.
Payments made through our service are processed by Stripe which is certified as a PCI Level 1 Service Provider. We do not store payment information in our infrastructure.
October 18, 2019
Read more information on this page.
This document was last updated on December 14, 2020