We Take Information Security Seriously

We know this is one phrase security researchers and clients dislike when organizations claims but in reality, they do nothing (or close to nothing).

What we do to take it seriously

  1. Cloud and Network Infrastructure Security
    1. We use trusted cloud providers such as Amazon’s AWS, Microsoft’s Azure, Google’s GCP, Digital Ocean etc. to host our applications and web facing assets.
    2. We strictly follow security best practices recommended by the respective providers.
    3. We perform continuous infrastructure monitoring to identify security risks.
    4. Data stored on cloud as well as on premise computing resources are encrypted-at-rest to protect from leakage
  1. Web Application Security
    1. All our web applications go through periodic vulnerability assessment to identify any security issues.
    2. We use TLS 1.2 certificates with up to 2048-bit encryption to encrypt data-in-motion transmitted between your browser and our Servers.
    3. We use Web Application Firewalls (WAF) to protect the websites and keep the attacks out of our network.
  1. Mobile Application Security
    1. All our mobile apps go through periodic vulnerability assessment to identify any security issues.
    2. All API (Applications Programming Interfaces) endpoints are also tested for security issues.
    3. We host our apps directly on the Google PlayStore and Apple AppStore. We do not distribute our app via any other channel.
  1. Privacy
    1. We do not maintain any authentication credentials (e.g., username password combination) at our end. Instead, we leverage a 3rd party SSO service like Auth0 for the same.
    2. We keep non-public PII (Personally Identifiable Information) on a different system to avoid data leakage. This is data our employees, consultants, clients, vendors, guests, and users provide us and DO NOT approve of displaying it publicly on the website or the applications.
  1. Data Storage
    1. Data could be stored in the cloud in the form of blobs, flat files, databases.
    2. All the above are encrypted with industry standard AES-256 encryption.
    3. Access to such data is provided strictly on a need-to-know basis and is logged and controlled for auditing purposes
  1. Security Governance
    1. We encourage security researchers to identify and report any security vulnerability they may find.
    2. We contract seasoned security experts to guide us on the complete security program.

I'm a security researcher. How do I report if I find a vulnerability? aka BugBounty

Security researchers are encouraged to review and agree to the "Responsible Vulnerability Disclosure Program" linked below and then submit the vulnerability report to [email protected]. Researchers should provide all details in the submission report to avoid undesirable delays.

  1. For a submission report to be considered for remediation (and potentially reward program) must include the following:
    1. Full description of the vulnerability being reported, including the exploitability and impact.
  1. Steps to replicate.
  1. Supporting evidence such as:
    1. Screenshots.
    2. Traffic Logs.
    3. Web/API requests and responses.
    4. IP address used for testing.
    5. Email address or user ID of any test accounts.

Note: Researchers are requested to not publish any security vulnerability identified in the Della digital assets publicly without expressed consent as per the policy linked above.

Is there a reward for submission of security vulnerability?

Oh Yes!, we respect knowledge and skill of researcher and reward it appropriately. For details, please see the "Responsible Vulnerability Disclosure Program" linked below.

Responsible Vulnerability Disclosure Program, Click Here To View