Security

Information Security Responsible Disclosure

Information Security

We at phonon are committed to protect confidentiality, Integrity and the services provided and our service data (information which stored, processed, transmitted as part of our services which are provided by our customers)

The executive leadership team is committed to follow robust security practices on engineering and service delivery setting the tone at the top. We have a Chief Information Security Officer (CISO) who sets the security strategy for compliance towards industry standards and continuous improvement on the security posture.

Information Security Policies and Procedures are defined for the required and applicable processes which are reviewed and audited at least annually to ensure alignment towards ISO 27001 standards. All employees undergo mandatory background verification (BGV) as part of their onboarding into the organisation. Empanelled service providers are used to perform verifications around identity, education, employment, criminal and drug as per the processes defined. Information Security Training and awareness are provided to employees at least annually. Procedures for reporting, tracking, investigation, communication and remediation of security incidents are established.

How do we protect the data?

All service data are hosted in stored in hardened databases with stringent access controls. Access to production systems (servers, network, etc..) are based on principle of least privilege and are restricted only to authorised individuals based on their job roles. All Service data is backed up and encrypted using AES 256 encryption. Service data in transit is secured via HTTPS with TLS 1.2 and above.

How do we build a secure software?

Information Security requirements are considered as part of the product roadmap and are prioritised in the release plans. All changes are tested by a Quality Assurance team which also includes code security reviews manually/using tools. Vulnerability Assessments are performed using independent third parties. Source code is centrally managed with version control and access restrictions. Any change made to the code are logged. We have a deployment plan which includes review and final sign off from product/engineering owners.

Where do we host the product?

We host our services (application) and associated data in AWS (Amazon Web Services) data centre, leveraging the best practices and services offered for infrastructure security. We have a multi-tenant and multi layer architecture powered by VPC (Virtual Private Cloud) and Security Groups which acts as firewall to control the inbound and outbound traffic. Except for the required components, all other network infrastructure are not exposed to public. We also leverage the AWS AZ (availability zone) for seamless continuity of services during a BC & DR event.

Responsible Disclosure Policy

Phonon is committed to the security and privacy of the information we store, process, and transmit via our products and services. We value security researchers in identifying vulnerabilities and ensuring system safety

Scope

This policy applies to the following domains and services:

  1. *.phonon.io
  2. *.phonon.in

Any domain or service not listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at responsibledisclosures@phonon.io before starting your research.

Qualifying Vulnerabilities

Vulnerabilities eligible for responsible disclosure under this policy include:

  • Remote code execution (RCE)
  • SQL/XXE Injection and any other injection attacks
  • Cross-Site Scripting (XSS)
  • Disclosure of personally identifiable information (PII)
  • Server side request forgery (SSRF)
  • Application or server misconfigurations
  • Authentication and Authorization weaknesses
  • Cross site request forgeries (CSRF)
  • Data leakage via inadequate access controls

Non-Qualifying Vulnerabilities

The following issues are not considered qualifying vulnerabilities::

  • Self-XSS and XSS affecting only outdated browsers
  • Missing HTTP headers on non-sensitive cookies
  • Rate-limiting or brute force attack issues
  • User enumeration without significant security impact
  • Non-security misconfigurations in non-sensitive areas
  • Phishing or spam-related issues (SPF/DKIM/DMARC)

Policy Guidelines

When conducting research under this policy, researchers are expected to:

  • Notify Phonon immediately upon vulnerability discovery
  • Refrain from public disclosure until resolution
  • Limit exploitation to only what's necessary to confirm vulnerability
  • Use approved communication channels for reporting
  • Stop testing immediately if sensitive data is discovered
  • Ensure sensitive data is not publicly disclosed

Testing Guidelines

The following testing methods are not authorized under this policy:

  • Denial of Service (DoS) or Distributed DoS testing
  • Physical security testing or social engineering
  • Exploiting known third-party vulnerabilities without vendor disclosure
  • Interfering with production systems or causing downtime
  • Unauthorized data access or manipulation

Reporting a Vulnerability

To report a vulnerability, please email your findings to responsibledisclosures@phonon.io, ensuring the following information is included:

  • Detailed vulnerability description & steps to reproduce vulnerability
  • Detailed of Application Area affected /services affected
  • Potential impact and security risk assessment
  • Timeline of actions already taken for resolution/mitigation
  • Supporting evidence (scripts, screenshots, videos)

What to Expect from Phonon

  • Acknowledgment: Within 24-72 working hours
  • Confidentiality: Strict internal handling with necessary personnel only
  • Resolution: High-severity issues within 30 days with regular updates
  • Transparency: Detailed information on resolution process including delays
  • Evidence Sharing: Relevant information if vulnerability already identified

Continuous Improvement

Phonon is committed to continually improving its responsible disclosure process. We actively review and update this policy in alignment with industry best practices, regulatory changes, and new security threats. Researchers' feedback and collaboration are vital to this ongoing improvement.

Request a Demo

Please fill this form to request a demo

Top

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.

AcceptPrivacy Policy