Verifiable maintains an Information Security Program to ensure the confidentiality, integrity, and availability of Information assets, while meeting the required legislative, industry, and contractual requirements.
Verifiable’s security policies, procedures, and standards are in accordance with the Trust Service Principles of the AICPA SOC2.
Furthermore, we perform an independent third-party audit of our compliance to the SOC2 standard annually.
Information Security Program
Verifiable maintains a robust Information security program which consists of policies, procedures, and controls to maintain the confidentiality, integrity and availability of information and information assets, Verifiable’s users, guests, employees, and business partners while meeting compliance standards.
Compliance
Verifiable policies, procedures, and standards are based on the SOC2 trust service principles and criteria.
In addition, we use an independent third-party body to audit our compliance to the SOC2 standard annually.
Access Control
Verifiable maintains access control policies and procedures to mitigate against unauthorized access to system resources, by ensuring access to system and resources are granted in accordance with the principle of least privilege, where access is restricted to the minimum level required to perform job functions. In addition to this, Verifiable performs access reviews for all systems and resources.
Secure Software Development
Verifiable’s Software Development Life Cycle (SDLC) framework is based on industry standards such as the OWASP, which ensures that secure design practices are integrated directly into the design and development process of the Verifiable Platform.
Incident Management and Response
An extensive security monitoring and incident response program is in place to notify, investigate and remediate security events. Our Incident Response team verifies the scope and impact of any suspected incident and ensures timely remediation.
Disaster Recovery and Business Continuity
Verifiable maintains policies, procedures, and security controls to ensure the continuity of critical business functions in the event of a catastrophic event. This includes data center resiliency, data redundancy and disaster recovery procedures for the Verifiable Platform.
Data Classification & Management
At Verifiable, all assets have a data owner that is responsible for ensuring specific information assets are handled and managed appropriately.
Verifiable maintains policies and procedures for data classification and protection governing how different classes of data are handled.
Risk Management
Verifiable has a documented Risk Management Program that ensures risks to systems and resources are managed and assessed annually.
Vulnerability Reporting
In accordance with reasonable disclosure, we continue to respond to submitted security issues and encourage anyone to report bugs on our platform.
Please review the rules below before submitting any reviews or making any testing attempts.
Reporting Security Issues
Verifiable takes its security responsibilities seriously on behalf of our clients, their customers, and ourselves. We view the role of security researchers as critical in the improvement of controls and products throughout the internet. We believe the ethical and safe processes that can be used to discover vulnerabilities should have a proper channel to advise Verifiable. Please review below for our standards regarding our Vulnerability Reporting.
Notification
To submit a bug for review, please send an email to security@verifiable.com.
Non-Verifiable Issues
Any issues found that are not directly the intellectual property of Verifiable that come from external sources will be advanced to that party. These issues would be outside of our program and while appreciated, these will not be handled in the same manner.
Disclosure Process
Verifiable will take all reported issues seriously and review the details. In order to protect Verifiable from chaos testing, any researcher who wishes to engage in our program needs to comply with our process. We will not take legal action against any legitimate, non-disruptive testing used to reveal an issue. Verifiable will need a reasonable timeframe to review, recreate and address any potential findings. Verifiable offers a discretionary program for those sharing potential security vulnerabilities. Verifiable customers are not eligible for this program and should refrain from any testing attempts.
Disclosure Process
- First and foremost, no data loss or interruption of service should be incurred. Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.
- Do not attempt to view, modify, delete or damage data belonging to others. Privacy of any data should not be violated.
- Do not disclose the reported vulnerability to others until we’ve had reasonable time to address it.
- Do not attempt to gain access to another user’s account or data.
- Do not use scanners or automated tools to find vulnerabilities. They’re noisy and we may ban your IP address.
- Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
- Specific details of the perceived vulnerability and steps to reproduce should be provided.
Exclusions
The following vulnerabilities are not eligible for the consideration:
- Network level Denial of Service attacks
- Application Denial of Service by locking user accounts
- Descriptive error messages or headers (e.g. Stack Traces, banner grabbing)
- Disclosure of known public files or directories, (e.g. robots.txt)
- Outdated software / library versions
- OPTIONS / TRACE HTTP method enabled
- CSRF on logout
- CSRF on forms that are available to anonymous users
- Cookies that lack HTTP Only or Secure settings for non-sensitive data
- Self-XSS and issues exploitable only through Self-XSS
- Reports resulting from automated scanning utilities without additional details or a POC demonstrating a specific exploit
- Attacks requiring MITM or physical access to a user's device
- Attacks dependent upon social engineering of Verifiable employees or vendors.
- Username enumeration based on login or forgot password pages.
- Enforcement policies for brute force, rate limiting, or account lockout.
- SSL/TLS best practices.
- SSL attacks such as BEAST, BREACH, Renegotiation attack.
- Clickjacking, without additional details demonstrating a specific exploit.
- Mail configuration issues including SPF, DKIM, DMARC settings.
- Use of a known-vulnerable library without a description of an exploit specific to our implementation.
- Password and account recovery policies.
- Presence of autocomplete functionality in form fields.
- Publicly accessible login panels.
- Lack of email address verification during account registration or account invitation.
- Lack of email address verification password restore.
- Session control during email/password changes.
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
- Public Zero-day vulnerabilities that have had an official patch for less than 1 month
- Tabnabbing
- Issues that require unlikely user interaction or that hinges on a user’s device being compromised first.
- Excessive exfiltration or downloading of Verifiable data, or demanding payment in return for the destruction of such data, will be considered outside of the scope of this program, and Verifiable will reserve all of its rights, remedies, and actions to protect itself and its users.
Potential for Compensation
You may be eligible to receive a monetary reward if:
- You are the first person to submit a site or product vulnerability.
- That vulnerability is determined to be a valid security issue by the Verifiable Information Security team.
- You have complied with all of the terms and conditions mentioned herein.
Any amounts will be determined at the discretion of the Verifiable Information Security team who will evaluate each report for severity, impact, and quality. Reward amounts vary depending upon the severity of the vulnerability reported. There could be submissions that we determine have an acceptable level of risk such that we do not make changes. There should be no expectation that any communication from Verifiable will take place, regardless of the vulnerability submitted.