Details

Security

This page outlines the security practices implemented by Conference Badge. For any question, please contact us at mailto:[email protected].

Our security.txt can be found /.well-known/security.txt.

Infrastructure

Our service is built on Heroku and Amazon Web Services, which implement strong security measures and are compliant with most certifications. You can read more about the practices of each:

https://www.heroku.com/policy/security
[https://aws.amazon.com/security/](Amazon Web Services)

Encryption

AT REST

All data stored in our database and cloud storage is encrypted at rest.

IN TRANSIT

All connections to your website are encrypted using TLS (Transport Layer Security). This also applies to connections between our servers and third parties such as Eventbrite and Universe.

Vulnerability disclosure

We encourage responsible disclosure of vulnerabilities found on our website. To report vulnerabilities, email us at mailto:[email protected] with a detailed description so we can understand and fix the vulnerability promptly.

We ask you to not publicly disclose vulnerabilities until they are fixed. We offer rewards based on the criticality of each vulnerability.

Exclusions (out-of-scope reports)

The following are excluded from our vulnerability disclosure program. We offer no reward for reports in these categories.

Rate limit on signup, login and password reset endpoints

We do have rate limits in place; they simply return 302 status codes instead of 429, which often are not properly detected by automatic vulnerability scanning tools.

Email verification at signup
EXIF metadata not stripped from uploaded images
TLS versions and ciphers
Missing DKIM, SPF or DMARC records
Missing DNSSEC
Password complexity
“Back” button that keeps working after logout
Outdated versions of JavaScript libraries such as jQuery
Stored XSS on CDN / third-party domains like .twilio.com
Reports affecting the help.conferencebadge.com subdomain

GDPR

Conference Badge is compliant with the GDPR (General Data Protection Regulation). See more information on [/gdpr](our GDPR page).

Payment information

Payments made through our service are processed by https://stripe.com/ which is certified as a PCI Level 1 Service Provider. We do not store payment information in our infrastructure.

Past incidents

October 18, 2019

Read more information [/security/20191018](on this page).

This document was last updated on December 14, 2020

Book A Demo

Vulnerability disclosure

We ask you to not publicly disclose vulnerabilities until they are fixed. We offer rewards based on the criticality of each vulnerability.

Exclusions (out-of-scope reports)

The following are excluded from our vulnerability disclosure program. We offer no reward for reports in these categories.

Rate limit on signup, login and password reset endpoints

We do have rate limits in place; they simply return 302 status codes instead of 429, which often are not properly detected by automatic vulnerability scanning tools.

Email verification at signup

EXIF metadata not stripped from uploaded images

TLS versions and ciphers

Missing DKIM, SPF or DMARC records

Missing DNSSEC

Password complexity

“Back” button that keeps working after logout

Outdated versions of JavaScript libraries such as jQuery

Stored XSS on CDN / third-party domains like .twilio.com

Reports affecting the help.conferencebadge.com subdomain

learn.conferencebadge.com

learn.conferencebadge.com

Details

Security

Infrastructure

Encryption

AT REST

IN TRANSIT

Vulnerability disclosure

Exclusions (out-of-scope reports)

GDPR

Payment information

Past incidents

October 18, 2019

Security

Infrastructure

Encryption

AT REST

IN TRANSIT

Vulnerability disclosure

Exclusions (out-of-scope reports)

GDPR

Payment information

Past incidents

October 18, 2019