Security Overview

Overview

Keeping our customers' data protected at all times is our highest priority. This security overview provides a high-level insight into the security practices we have in place to achieve this objective. If you have any questions or feedback, please feel free to reach out to us at [email protected]

Our security.txt file is available here.

Dedicated Security Team

Our security team is comprised of dedicated experts committed to enhancing the security of our organization. Our team members are trained in security incident response and are available 24/7 to address any security concerns.

Infrastructure

Cloud Infrastructure

All our services operate in the cloud. These providers implement robust security measures to safeguard our infrastructure. Learn more about their security practices:

• AWS
• Google Cloud Platform
• Microsoft Azure

Data Center Security

Our data center, is Tier IV, PCI DSS, and ISO 27001 compliant. Our servers are guarded 24/7 with security measures such as CCTV, electronic access control, and more.

Network Level Security Monitoring and Protection

Our network security architecture employs multiple security zones, utilizing a virtual private cloud (VPC), a firewall, Intrusion Detection and/or Prevention technologies (IDS/IPS), and IP address filtering to monitor and protect against unauthorized access.

DDoS Protection

We utilize Distributed Denial of Service (DDoS) mitigation services provided by an industry-leading solution to safeguard against DDoS attacks.

Data Encryption

• Encryption in Transit: All data sent to or from our infrastructure is encrypted using Transport Layer Security (TLS). View our SSLLabs report here.
• Encryption at Rest: User data, including passwords, is encrypted using battle-tested encryption algorithms in the database.

Data Retention and Removal

We retain all usage data. Users can request data removal by contacting support. Learn more about our privacy settings at privacy policy.

Business Continuity and Disaster Recovery

We regularly back up critical assets and test the restoration process to ensure a swift recovery in case of a disaster. All backups are encrypted.

Application Security Monitoring

• We use a security monitoring solution for real-time application security.
• Technologies such as open tracing are employed in our microservices for monitoring exceptions, logs, and detecting anomalies.

Application Security Protection

• We use a runtime protection system to identify and block OWASP Top 10 and business logic attacks in real-time.
• Security headers are employed to protect against attacks. Check our grade on this security scanner.
• Security automation capabilities automatically detect and respond to threats targeting our apps.

Secure Development

We follow security best practices, including regular security training for developers, code reviews, updating dependencies, and using Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). Third-party security experts conduct periodic penetration tests.

Responsible Disclosure

We welcome responsible disclosure through our bug bounty program. Report vulnerabilities to [email protected], including a proof of concept. Rewards are at our discretion.

Coverage

• *.https://webreels.net

Exclusions

• blog.webreels.net
• docs.webreels.net
• status.webreels.net
• support.webreels.net

Accepted vulnerabilities include:

• Cross-Site Scripting (XSS)
• Open redirect
• Cross-site Request Forgery (CSRF)
• Command/File/URL inclusion
• Authentication issues
• Code execution
• Code or database injections

Our bug bounty program does NOT include:

• Logout CSRF
• Account/email enumerations
• Denial of Service (DoS)
• Attacks that could harm the reliability/integrity of our business
• Spam attacks
• Clickjacking on pages without authentication and/or sensitive state changes
• Mixed content warnings
• Lack of DNSSEC
• Content spoofing / text injection
• Timing attacks
• Social engineering
• Phishing
• Insecure cookies for non-sensitive cookies or 3rd party cookies
• Vulnerabilities requiring exceedingly unlikely user interaction
• Exploits that require physical access to a user's machine

User Protection

2-factor Authentication:

• We provide a 2-factor authentication mechanism for user account protection.

Account Takeover Protection:

• We monitor and block brute force attacks to protect users against data breaches.

Single Sign-On:

• Single sign-on (SSO) is available for enterprise customers and can be linked with Google accounts.

Role-Based Access Control:

• Our accounts feature role-based access control (RBAC) for defining roles and permissions.