We at phonon are committed to protect confidentiality, Integrity and the services provided and our service data (information which stored, processed, transmitted as part of our services which are provided by our customers)
The executive leadership team is committed to follow robust security practices on engineering and service delivery setting the tone at the top. We have a Chief Information Security Officer (CISO) who sets the security strategy for compliance towards industry standards and continuous improvement on the security posture.
Information Security Policies and Procedures are defined for the required and applicable processes which are reviewed and audited at least annually to ensure alignment towards ISO 27001 standards. All employees undergo mandatory background verification (BGV) as part of their onboarding into the organisation. Empanelled service providers are used to perform verifications around identity, education, employment, criminal and drug as per the processes defined. Information Security Training and awareness are provided to employees at least annually. Procedures for reporting, tracking, investigation, communication and remediation of security incidents are established.
How do we protect the data?
All service data are hosted in stored in hardened databases with stringent access controls. Access to production systems (servers, network, etc..) are based on principle of least privilege and are restricted only to authorised individuals based on their job roles. All Service data is backed up and encrypted using AES 256 encryption. Service data in transit is secured via HTTPS with TLS 1.2 and above.
How do we build a secure software?
Information Security requirements are considered as part of the product roadmap and are prioritised in the release plans. All changes are tested by a Quality Assurance team which also includes code security reviews manually/using tools. Vulnerability Assessments are performed using independent third parties. Source code is centrally managed with version control and access restrictions. Any change made to the code are logged. We have a deployment plan which includes review and final sign off from product/engineering owners.
Where do we host the product?
We host our services (application) and associated data in AWS (Amazon Web Services) data centre, leveraging the best practices and services offered for infrastructure security. We have a multi-tenant and multi layer architecture powered by VPC (Virtual Private Cloud) and Security Groups which acts as firewall to control the inbound and outbound traffic. Except for the required components, all other network infrastructure are not exposed to public. We also leverage the AWS AZ (availability zone) for seamless continuity of services during a BC & DR event.
Responsible Disclosure Policy
Phonon is committed to ensuring the security by protecting the information that are stored or processed or transmitted as part usage of of our products and services by our customers. This policy is intended to give security researchers a clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.
This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, our approach and timelines. We encourage you to contact us to report potential vulnerabilities in our systems
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to understand and resolve the issue quickly. Phonon will recognise this research and will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.
Under this policy, “research” means activities in which you:
- Notify us as soon as possible after you discover a real or potential security issue.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence.
- Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
- Provide us a reasonable amount of time to resolve the issue.
- Do not submit a high volume of low-quality reports.
- Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
- Use the mentioned communication channel to report the vulnerability information to us;
- Documenting or publishing the vulnerability details in public domain is against our responsible disclosure policy; and
- Keep information about any vulnerability confidential until the issue is resolved.
The following test methods are not authorized:
- Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
- Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
This policy applies to the following domains and services:
Any domain or service not listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at email@example.com before starting your research.
Qualifying security bugs:
- Remote code execution (RCE)
- SQL/XXE Injection and any other injection attacks
- Cross-Site Scripting (XSS)
- Disclosure of personally identifiable information
- Server side request forgery (SSRF)
- Misconfiguration issues on servers and application
- Authentication and Authorization related issues
- Cross site request forgeries (CSRF)
Non-Qualifying Security bugs:
- Self-XSS and XSS that affects only outdated browsers
- Host header and banner grabbing issues
- Automated tool scan reports.Example: Web, SSL/TLS scan,Nmap scan results etc.,
- Missing HTTP security headers and cookie flags on insensitive cookies
- Rate limiting, brute force attack
- Login/logout/low-business impact CSRF
- Unrestricted file upload
- Open redirects - unless they can be used for actively stealing tokens
- Formula/CSV Injection
- Vulnerabilities that requires physical access to the victim machine.
- User enumeration such as User email, User ID etc.,
- Phishing / Spam (including issues related to SPF/DKIM/DMARC)
- Missing security best practices
- Vulnerabilities found in third party services
Reporting a Vulnerability
- E-mail your findings to firstname.lastname@example.org
Phonon will define the severity of the issue based on the nature of information, impact (confidentiality, integrity, availability, privacy) and the ease of exploit.
What we would like to see from you
In order to help us triage and prioritise submissions, we recommend the below:
- Well-written reports in English
- Describe the location the vulnerability was discovered and the potential impact of exploitation. (IP, system, etc..)
- Detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
- Detailed description of the remediation.
What you can expect from us
- We will provide a timely response to your email.
- We will handle your report with strict confidentiality
- We will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution
- If the reported disclosure was already identified by Phonon, we will provide the information and evidences for the same.
We consider gratitude and public appreciation as an invaluable recognition than a bounty. We shall publicly convey our deepest gratitude by adding your name to our Hall of Fame. We shall also send our official authorization of your legendary efforts, swag/goodies equivalent to monetary reward.