Security Policy

We take security and privacy seriously, adhering to enterprise-level security standards that keep your customer data protected.

We have a globally distributed infrastructure and security team on-call 24/7. Our team is constantly monitoring security notifications from all 3rd party software libraries and if identified, we immediately apply any relevant security patches as soon as they are released.


Infrastructure

All of Quaderno's application and data infrastructure is hosted on DigitalOcean, a highly scalable cloud computing platform with end-to-end security and privacy features built in.

Among others, security measures adopted by Quaderno include:

  • access to the information stored within Quaderno's servers is restricted to a limited number of Quaderno employees who can access the information only in specific and limited circumstances and are bound by confidentiality.
  • Quaderno's servers are protected by (1) firewalls establishing a barrier between Our trusted, secure internal network and the Internet and (2) IP restrictions, limiting access to whitelisted IP addresses.
  • we use HTTPS to encrypt all data-in-transit for all internal and external endpoints, providing secure transfer of data to prevent wiretapping and man-in-the-middle attacks.
  • public access to databases and developer endpoints are restricted with passwords and API credentials.

Reporting an issue

We know how much work goes in to pen testing! To avoid frustration, you can check out these common non-vulnerabilities that don't qualify for rewards.

Got a valid issue? Awesome! Please email us at support@quaderno.io and include:

  • A summary of the problem.
  • A severity rating of 1 - 5 (1 being least severe, 5 being most ie. you can easily hijack, impersonate or access any other account or data).
  • A PoC or breakdown of how to replicate the issue.
  • The operating system name and version as well as the web browsers name and version that you used to replicate the issue.

Our engineers must be able to reproduce the security flaw from your report. Reports that are too vague or unclear are not eligible for a reward. Reports that include clearly written explanations and working code are more likely to garner rewards.


Rewards

We're eternally grateful for all of those who put in hard work to identify weaknesses within Quaderno. For reports that are not common non-vulnerabilities, we like to reward those who responsibly disclose vulnerabilities with an acknowledgement, swag or bounty money.

Rewards are based on severity, impact, and report quality. We will only give out rewards via PayPal.

Please note that only 1 bounty will be awarded per vulnerability. If we receive multiple reports for the same vulnerability, only the person offering the first clear report will receive a reward.

This is a discretionary program and Quaderno reserves the right to cancel the program; the decision whether or not to pay a reward is at our discretion.