- Server Security: Easyblog servers are configured to be as secure as possible.
- Database Security: Our database servers are on private networks and not accessible over the internet. Our school wide setup isolates each school from each other using their own installation of our software and separate databases.
- Passwords: All passwords are individually salted and hashed.
- Data Residency: All Easyblog user data is stored on servers located in the United States.
All Easyblog information systems and infrastructure are hosted in world-class data centers. These data centers include all the necessary physical security controls you would expect in a data center these days (e.g., 24×7 monitoring, cameras, visitor logs, entry requirements).
- Connectivity: Fully redundant IP network connections with multiple independent connections to a range of Tier 1 Internet access providers.
- Power: Servers have redundant internal and external power supplies. Data centers have backup power supplies, and are able to draw power from the multiple substations on the grid, several diesel generators, and backup batteries.
- Uptime: Continuous uptime and performance monitoring. We employ multiple methods of alerting in the event of a failure.
- Failover: Our database is replicated in real-time and can failover.
- Testing: System functionality and design changes are verified in an isolated test “sandbox” environment and subject to functional and security testing prior to deployment to active production systems.
- Firewalls: Firewalls restrict access to all ports except 80 (http) and 443 (https). As well as DDoS protection and monitoring.
- Access Control: 2FA (two-factor authentication), and role-based access is enforced for systems management by authorized engineering staff.
- Logging and Auditing: Central logging systems capture and archive all internal systems access including any failed authentication attempts.
- Encryption in Transit: By default, our survey collectors have Transport Layer Security (TLS) enabled to encrypt respondent traffic. All other communications with the Easyblog website are sent over TLS connections, which protects communications by using both server authentication and data encryption. This ensures that user data in transit is safe, secure, and available only to intended recipients. Our application endpoints are TLS only and score an “A” rating on SSL Labs tests. Every installation of our schoolwide solution also meets this high standard.
- Patching: Latest security patches are applied to all operating systems, applications, and network infrastructure to mitigate exposure to vulnerabilities.
- Third Party Scans: Our environments are continuously scanned using best of breed security tools. These tools are configured to perform application and network vulnerability assessments, which test for patch status and basic misconfigurations of systems and sites.
Organizational & Administrative Security
- Access: Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis.
- Audit Logging: We maintain and monitor audit logs on our services and systems.
- QA and Testing: All changes will be thoroughly tested by our developers and quality assurance team.
- Scheduled Maintenance Window: We perform all scheduled updates to production services at the weekend.
Handling of Security Breaches
Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if Easyblog learns of a security breach, we will notify affected users as soon as possible so that they can take appropriate steps. Our breach notification procedures are consistent with our obligations under various state and federal laws and regulation, as well as any industry rules or standards that we adhere to. Notification procedures include providing email notices, posting a notice on our website or various forms of social media if a breach occurs.
Security Vulnerability Reporting Policy
Easyblog values the work done by security researchers in improving the security of our products. We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities.
If you are a security researcher and would like to report a security vulnerability, please submit a ticket under the type "Vulnerability Report", our system will automatically assign it to the correct engineers and with the highest priority. Please provide your name, contact information, and company name (if applicable) with each report.
Responsible Disclosure Guidelines
We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we commit that we will not take legal action against you or ask law enforcement to investigate you if you comply with the following Responsible Disclosure Guidelines:
- Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC)
- Make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our services
- Do not modify or access data that does not belong to you
- Give us a reasonable time to correct the issue before making any information public
We will attempt to respond to your report within 1-2 business days.
Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems.