Security at Sortment
Learn how Sortment protects customer data with secure cloud infrastructure, network security, access controls, encryption, incident management, vulnerability testing, and responsible disclosure.
Ankit Bansal
·
New York
·
CLOUD INFRASTRUCTURE
Sortment is hosted on a Virtual Private Cloud on Google Cloud, which provides a secure and scalable technology platform to ensure we can provide you services securely and reliably.
PERIMETER SECURITY
We have deployed Defence in Depth Architecture using a network firewall, web application firewall, DDoS protection layer, and a content delivery network.
Our infrastructure is launched in alignment with the Google Cloud Architecture Framework and, from a security perspective, incorporates practices from the Google Cloud Adoption Framework.
We have a 3-Tier Architecture that incorporates best practices from various standards and certifications.
We have strict network segmentation and isolation of environments and services in place.
HOST SECURITY
We use industry-leading solutions around anti-virus, anti-malware, intrusion prevention systems, intrusion detection systems, file integrity monitoring, application control, application and audit log aggregation, and automated patching.
All our servers are launched using hardened Linux images and relevant Center for Internet Security Benchmarks.
DATA SECURITY
We employ separation of environments and segregation of duties and have strict role-based access control on a documented, authorized, need-to-use basis.
We use key management services to limit access to data except the data team.
Stored data is protected by encryption at rest and sensitive data by application-level encryption.
We use data replication for data resiliency, snapshotting for data durability, and backup/restore testing for data reliability.
INCIDENT AND CHANGE MANAGEMENT
We have deployed mature processes around Change Management, which enables us to release thoroughly tested features for you both reliably and securely, enabling you to enjoy the Sortment experience with maximum assurance.
We have a strong stance on Incident Management across both systems downtime and security. We have a Network Operations Center and an Information Security Management System in place that quickly reacts, remediates, or escalates any incidents arising out of planned or unplanned changes.
VULNERABILITY ASSESSMENT AND PENETRATION TESTING
We have an in-house network security team that uses industry-leading products to conduct manual and automated VA/PT activities.
We employ both static application security testing and dynamic application security testing, which are incorporated into our continuous integration / continuous deployment pipeline.
BUG BOUNTY PROGRAM
Sortment values the security researcher community and recognizes the importance of their work in keeping the internet safe. Our Bug Bounty Program is designed to reward researchers for discovering and reporting vulnerabilities in our systems responsibly.
SCOPE
Our bug bounty program covers the following services:
Sortment Applications
Sortment API endpoints
Please note that vulnerabilities in third-party applications or services that integrate with Sortment are not included in the scope.
OUT OF SCOPE
The following findings are out-of-scope for our bug bounty program:
Denial of Service vulnerabilities
Spam or social engineering techniques
Vulnerabilities affecting outdated or unpatched browsers/devices
REWARDS
Rewards are based on the severity of the vulnerability, determined using the Common Vulnerability Scoring System. The final reward amount is at the discretion of our security team.
The reward can go up to 1,000 USD based on the severity of the bug.
SUBMISSION GUIDELINES
To submit a vulnerability, please follow these guidelines:
Provide detailed steps to reproduce the vulnerability, including any necessary code or tools.
Include your assessment of the vulnerability’s impact and potential severity.
Send your findings to security@sortment.com securely, preferably using encrypted email.
RECOGNITION
In addition to monetary rewards, we acknowledge the valuable contributions of researchers in our Hall of Fame and offer swag for significant findings.
We look forward to working with the security community to enhance the safety and security of our platform. Thank you for helping us keep Sortment and our users safe.