1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Security

Security and ensuring high-availability access are critical components of everything we do at Blinksale. To that end, we take a host of precautions so that your sensitive data remains just that…yours. If you have any questions, or encounter any issues, please contact us at .

Security vulnerabilities should be reported through bugcrowd.com/blinksale. See Vulnerability Recognition Program.

SSL

Blinksale forces HTTPS for all services, including our public website. We use GeoTrust to ensure the appropriate level of security.

Physical Security

Blinksale is hosted on Amazon Web Services (AWS) through Amazon’s infrastructure of controlled data centers. Blinksale runs on Engine Yard’s Cloud platform, built on top of Amazon Web Services, which is designed for 99.99% availability. Major brands like MasterCard, AOL and Audi use this same platform. The information in your account is regularly backed up at an offsite location. This ensures that if for any reason there is a loss of data or a physical emergency such as an earthquake, your data is safe and can be restored as needed.

Engine Yard provides self-contained environments for computer, storage, and database services. No functionality or access is shared between customer instances ensuring data isolation. Read more about EngineYard’s security and Amazon’s Web Services security.

Network Security

AWS provides network security controls which are configured and actively monitored by Engine Yard.  Each customer instance is protected by an AWS security group which includes firewalls and ingress network filtering. AWS uses proprietary Distributed Denial of Service (DDoS) techniques to minimize exposure. Engine Yard actively works with AWS to aid with the resolution of detected security incidents including DDoS attacks and illicit port scans.

Encryption and Data Management

Credit card security and management is handled by Jetpay.com. Blinksale does not store credit card numbers. Please review Jetpay’s security guidelines for more details including PCI compliance.

Blinksale does not store any passwords, but instead only salt and hash passwords using bcrypt.

Note that contact information and invoice data are not stored using encryption. Access to all customer data requires prior authentication using validated credentials.  After authentication and authorization has been successful, transmission of customer data will be allowed only through SSL based connections. See the Physical Security and Network Security sections for the extensive precautions taken to prevent unauthorized or illegal access.

Disclosure

We rapidly investigate all reported security issues. If you believe you’ve discovered a bug in Blinksale’s security, please get in touch at . We guarantee a (non-automated) response within 24 hours, and usually faster. To protect the integrity of customer data, we request that you not publicly disclose any potential security issue until it has been addressed by Blinksale.

Vulnerability Recognition Program

We understand the hard work that goes into security research. To show our appreciation for researchers who help us keep our users safe, we operate a recognition program for responsibly disclosed vulnerabilities. Blinksale rewards the confidential disclosure of any design or implementation issue that could be used to compromise the confidentiality or integrity of our users’ data (such as by bypassing our login process, injecting code into another user’s session, or instigating action on another user’s behalf). Recognition in the Blinksale Security Hall of Fame may be provided for the disclosure of qualifying bugs.

As with most security programs, we ask that you use common sense when looking for security bugs.

  • Vulnerabilities must be disclosed to us privately with reasonable time to respond.
  • Only vulnerabilities submitted to bugcrowd.com/blinksale are eligible for the recognition and program. Vulnerabilities reported via social media and/or support forms and forums are not eligible.
  • Researchers must avoid compromise of user accounts and loss of funds.
  • Researchers must properly identify any user accounts created for the purpose of security research by using the phrase “BugCrowd” in the company name or other user-input field.
  • We do not reward denial of service, spam, or social engineering vulnerabilities.
  • Although Blinksale itself and all services offered by Blinksale are eligible, vulnerabilities in third-party applications that use Blinksale are not.
  • Your report must include a Proof of Concept in the form of running code, screen shots or screen recording demonstrating the vulnerability

And finally, as with most security programs, there are restrictions. We will only recognize the first person to responsibly disclose a bug to us. Any bugs that are publicly disclosed without providing us a reasonable time to respond will not be recognized. Whether to recognize the disclosure of a bug and the timing of the recognition is entirely at our discretion, and we may cancel the program at any time. Your testing must not violate any laws.

Thank you for helping keep Blinksale, our users, and their customers safe!

Hall of Fame