We Have To Practice What We Preach
We help individuals and companies to identify security weaknesses, but we're on the same boat as them in terms of being a target for attackers. We put a lot of effort in security and we want to be transparent and share them here. Security is actually more complex than this page, so if you have any question just drop us an email at security [at] gauntlet.io
We've adopted the policy of using HTTPS for all endpoints to guarantee data encryption on transit and endpoint authenticity. Furthermore we use TLS 1.2+, as SSL is now doomed with vulnerabilities in its three versions. Our certificates are proudly signed by Let's Encrypt. We highly recommend them.
We safely store slow computed hashes of passwords using bcrypt algorithm configured with 10+ rounds to prevent attackers (and even our employees) from performing a reverse engineering effort to discover passwords from hashes. You can help to secure your password by not using words found on dictionaries as well.
All data is stored in a database not exposed to the internet directly. Queries to this database use prepared statements to mitigate SQL Injection attacks. It's one of many batteries included in our software development framework.
We rely heavily on static websites for improved performance and security. Those are managed by Amazon. But the data and dynamic operations are managed by us and we enforce secure development and run Gauntlet against ourselves too.
Found a bug? We encourage you to let us know at security [at] gauntlet.io. Please inform the following items: Your Name, Bug Type, Affected URL and Proof of Concept (PoC). Whenever a bug is found, talk to us instead of proceeding with exploitation. And please don't perform research that could impact other users. We don't have a bug bounty program, reward program or swag packs for now, but they're on the roadmap.