Security
Tideways Security
We take the security of Tideways and the protection of our customers data seriously. If you have any questions or encountered any issues please don’t hesitate to contact us.
Reporting Security Issues
Send urgent or sensitive reports directly to [email protected]. We’ll get back to you as soon as possible, usually within 48 hours. If you haven’t heard from us in 48 hours, follow up via e-mail. For requests that aren’t urgent or sensitive: submit a support request to [email protected].
Tracking and Disclosing Security Issues
If you’re interested in executing tests against our systems for your security research, please use our staging system rather than our production systems. The staging system is running the same web application as production but does not involve production data. For information about how to activate your account on the staging system please get in contact with [email protected].
We work with security researchers to keep up with state-of-the-art web security. If you’ve discovered a web security flaw that might impact our product, please let us know. Here’s what happens when you submit a report:
- We acknowledge your report.
- We investigate the issue to determine its impact. We work with you to ensure we fully understand the issue, but we don’t disclose issues until our investigation is finished.
- Once the issue is resolved, we post a security update along with thanks and credit to the first researcher who reported the issue. At this time we do not provide monetary compensation for security reports.
- We appreciate your patience while you give us sufficient time we make sure the error is rectified and other companies and their customers are protected. In any event, you’ll always have a contact at Tideways for your issue.
Credits
The following people have responsibly reported security vulnerabilities to us and helped identify and fix problems in Tideways:
- Andreas Buchenrieder reported a privilege escalation
- Gaurang Maheta reported a potential subdomain takeover
- Kunal Mhaske reported that password reset e-mail token was not reset after user changed their password in the UI.
- Ambush Neupane reported a CSRF vulnerability in the organization team member removal screen.
Security Overview
As part of the GDPR processes we are documenting our Technical and Organizational Measures to ensure security in Tideways in our data processing agreement. See more information on GDPR Compliance. This includes a description of all categories of data Tideways stores and all subcontractors we use.
All information you transmit to and from Tideways is using secure encryption. Credit card information is transmitted, stored, and processed securely on a PCI-Compliant network. We currently use Stripe and Recurly for processing all one-time and recurring payments.
All servers have rigid access control and only provide access to the services that are required on that server. We regularly update our infrastructure to incorporate patches and updates.
All data is backed up on a regular basis to off-site backups.
Account passwords are stored with one-way encryption so even we do not have access to them.