Managing PrivacyOps without Compromising on Security

• Our Site Reliability Engineers (SRE) are tasked with the operational aspects of our business and ensure information security.
• All machines that run our infrastructure are kept up to date and patched automatically. Software installations are strictly limited and controlled. Access to these machines is restricted only to relevant members of the teams.
• Our organization’s Development, Test, and Operational systems are separated.
• We enforce best practices such as: encryption of storage media, using two-factor authentication (2FA), requiring strong passwords, and more such as configuring systems to lock after a short period of time. Additionally, all communication is done through securely encrypted channels using modern, strong encryption.

• All staff machines must comply with our Confidentiality Policy which includes a requirement to “take all reasonable measures to protect security and prevent unauthorized access or disclosure of all confidential information”.
• We provide periodic security training and tests for all employees.
• Our office has 24-hour security, cameras, and requires a biometric lock to access.
• We have a thorough employee termination/access removal process

• All data is encrypted at transit and rest with modern encryption while disabling outdated ciphers/protocols.
• We also contract a reputable third party for annual security audits and penetration tests, in-depth testing for vulnerabilities inside the application, and social engineering drills.
• We keep full audit logs and have monitors and alerts for every suspicious activity.

• Mine was specifically built around compliance with the EU General Data Protection Regulation (GDPR) (http://www.eugdpr.org/).
• Our data centers are all located inside the EU (Western Europe).
• We host our infrastructure on Google Cloud Platform (https://cloud.google.com/security/).

• Our Site Reliability Engineers (SRE) are tasked with the operational aspects of our business and ensure information security.
• All machines that run our infrastructure are kept up to date and patched automatically. Software installations are strictly limited and controlled. Access to these machines is restricted only to relevant members of the teams.
• Our organization’s Development, Test, and Operational systems are separated.
• We enforce best practices such as: encryption of storage media, using two-factor authentication (2FA), requiring strong passwords, and more such as configuring systems to lock after a short period of time. Additionally, all communication is done through securely encrypted channels using modern, strong encryption.

When integrating with a 3rd party SaaS to automate request handling, Mine uses the minimal set of permissions required to operate. Such operations include:

• Search for objects that belong to a user by email/id
• Retrieve such objects
• Delete/anonymize such objects

We understand the hard work that goes into security research. To show our appreciation for researchers who help us keep our users safe, we operate a reward program for responsibly disclosed vulnerabilities. Mine rewards the confidential disclosure of any design or implementation issue that could be used to compromise the confidentiality or integrity of our users’ data (such as by bypassing our login process, injecting code into another user’s session, or accessing another user’s private data).

A minimum reward of $100 USD may be provided for the disclosure of qualifying reports. At our discretion, we may increase the reward amount based on the severity of the report. If you report a vulnerability that does not qualify under the above criteria, we may still provide a non-monetary reward in the form of Mine merchandise if your report causes us to take specific action to improve our security posture.

We ask that you use common sense when looking for security bugs. Vulnerabilities must be disclosed to us privately with reasonable time to respond, and avoid compromise of other users and accounts, or loss of funds that are not your own. We do not reward denial of service, spam, or social engineering vulnerabilities.

For submission guidelines see: OWASP Vulnerability Disclosure Cheat Sheet

Read the full scope, criteria, and restrictions in our help center.