Commando.io security.

Security is our largest consideration.

REPORT A VULNERABILITY

Security Features

Two-factor authentication via Google® Authenticator.

AES encryption of sensitive data.

Passwords hashed with bcrypt.

HTTPS perfect forward secrecy with strict transport security. A+ rating on Qualys SSL Labs.

We protect against CSRF attacks by sending a unique token along with each request.

We enforce strong passwords on user creation and password change.

Rate limiting of certain actions.

Employees never ever access accounts unless absolutely required and prior consent is given.

Internal intrusion detection notifications for unauthorized access of Commando.io servers.

SECURITY PRACTICES

A brief overview of our security policies.

Our website and application traffic run entirely over encrypted SSL with perfect forward secrecy, Heartbleed, and POODLE vulnerabilities and attacks mitigated (see our SSL Labs Report). In cryptography, perfect forward secrecy is a property of key-agreement protocols that ensures that a session key derived from a set of long-term keys will not be compromised if one of the long-term keys is compromised in the future.

We use HTTP strict transport security to ensure browsers interact with Commando.io exclusively over HTTPS. This means passwords and other sensitive data is never leaked over the network.

In the Commando.io application, server address, SSH port, and SSH username are all AES encrypted in the database. We also rate limit a variety of actions on the site (login attempts, password reset, etc). Rate limiting allows us to thwart brute force attacks and block malicious behavior.

All user passwords are filtered from all our logs and hashed using bcrypt. We don't ever store your password in plain-text. We protect against CSRF (cross site request forgery) attacks by sending a unique token along with each request.

We do not store any credit card information. This data is handed off to Stripe, a company dedicated to storing your sensitive data on PCI-compliant servers.

Employees are required to encrypt their hard drives, utilize strong passwords, and enable screen locking. No Commando.io employees are allowed to access a Commando.io account unless absolutely required and prior consent is given.

WHITEHAT

Responsible disclosure of security vulnerabilities.

We want to keep Commando.io safe for everyone. If you've discovered a security vulnerability, we appreciate your help in disclosing it to us in a responsible manner.

The criteria for disclosing a security vulnerability are as follows:

  • You must be the first person to disclose the vulnerability.
  • Must not have disclosed the vulnerability to anyone or anywhere else.
  • Must not be a vulnerability hosted by a third party (i.e. CDN, blog, support, analytics, etc) unless it leads to a vulnerability on the main website or appplication.
  • Must not be a DoS attack.
  • Must not be spam.

Publicly disclosing a vulnerability can put Commando.io at risk. If you've discovered a security concern, please email us at security@commando.io. We'll work with you to make sure that we understand the scope of the issue, and that we fully address your concern. We consider correspondence sent to security@commando.io our highest priority, and work to address any issues that arise as quickly as possible.

Please act in good faith towards our users' privacy and data during your disclosure. We won't take legal action against you, or administrative action against your Commando.io account if you act accordingly: White hat researchers are always appreciated.

Our PGP key is below. You may use this key to encrypt your communications with Commando.io. (Unfamiliar with PGP? Have a look at GPG, and start by importing a public key).

Once you've imported our key, you can verify the signature of e-mails we send you by running gpg --verify.

Key ID: 0C1635A8
Key Algorithm: RSA
Key Size: 4096
Fingerprint: 2D43 DE69 F8A8 932C 70EA 3F1C B5BC 292F 0C16 35A8
User ID: "Commando.io Security" <security@commando.io>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: Mailvelope v0.7.0
Comment: Email security by Mailvelope - https://www.mailvelope.com/

xsFNBFL541EBEACL1XMGi100enHslIwjBFuCxG21vp3nHPz2vmQaKGpob2/4
qmapY+/Ku0ZYEvSF8szH+skloh1jvwcGpzBksB3wF0tdjtbgxUlFMUMF1rxf
yJUCR7g0H3hiUc0tra0YNP5vrGF8u0eEIUSi7PomwGQh8tLZ5fyIlVQLH7Fl
mOtf3PkX2vsNWwZDZaeqehr9Uv2/8UiLJ412WmD2WuP8Dm9I2h1Yti/0CEP1
fL0xXOJP/OaT38wFYYMTpfFZhXCOEee4H7NVu6guvB2VuULJQIsuAeoBIbnD
lCtrmN+36Ezm6bAl2jawhGdi422S9kiUfvBC7/nHsNpDQSD7nyF+aq8uc/aF
eT2+cnFMOjPbdEDsa7XKJcUqNi+Ue/tWjoJATlb35Ndxcu2J5TS3J0Jxso9L
hvGtTHnsgHUIhkdqhtr5x3r1nUk7zoXMWvjN3xQJX6ERJND9LenZKrNfop9W
U1jK45qT0Ae4IM04rNAOReT6o+C/KbihFa7qpfDfRLXPrRTv56ungcQoF9nw
i5fBjOVjaXLuKE/Rt/EkSH3cPQ54yKQblcOKoRXrjYxWQXSudyEJkc3JER9a
HAnMm4oQQXQmRL9GPdIJ8ijtjZaTNWKaD/L+h3BLqBnvwYV1NGzvlnuJbn12
IdZ18HRjo/F3qg4a6oHPmChwZluyWRLcmPwpbwARAQABzS0iQ29tbWFuZG8u
aW8gU2VjdXJpdHkiIDxzZWN1cml0eUBjb21tYW5kby5pbz7CwVwEEAEIABAF
AlL542kJELW8KS8MFjWoAAC9kA//VhdArpzVMFczM8vMw9XuoZLk8tjtn6SS
GDpDlx/rBmXijXazLM3jy12IQ+dYgFyqiRywnCYD/AarYV9tZ8wYZdi1z9h3
3qK4seEMZ8Cv8ZqiWDShvX1D2n4p5bQFwAy8oLBhYu5hfUcxEOuvtaHjtfMZ
c+jKtKs2m6XIbV+BJOJiEYFKXPIKCpxTMmSJbin69m0T1/KE4iaqrb2EurUl
dBubHIanlbuF3CGnIU4HURTcE7eXGjTy+whyvFxyZ51asRhXHNZQgxmtM2hB
1vHTg995LiLaH9VA+q0XDRpAONHScR3aU4w0/7yAEBXiGWnwKYv8EbwtQgPI
Ex0S9G4NoQq3xAIgW2LqiFzvrD/n7TJFGbu8jbBAMYhTEfa7rUud36Y4C9se
HENT6zEBn6utNHeXxupHaBrqgmOVjCiW2esnfM+V4S2M6ep0J6w1d+IsXn7A
wtvj0yw7h0bM7zoluFU34oXkUCpEe6NaN3GyoLHsm1brzLQi26XI7dZsyVHs
Y2lJOOprnaOvQW/CGDE3ltfUliUUonptUamU9QkJ+UcOe4NjUmxHPrE1wyd9
9sB8ThaexWFIc/6jMmjzE91VmdXi/XYLlXzqx49TeoaZ4fN2FAvmbPA4kqjn
VOwpTPUszgtNMag+Zkp1x2oY1rqNng6swa+ljoR5B2E3tmlVQeI=
=1GZD
-----END PGP PUBLIC KEY BLOCK-----

HALL OF FAME

Thanks for helping keep Commando.io secure.

Evan Ricafort

Sahil Saif

Manish Bhattacharya

Scott Glossop

Jay Turla

Jose Pino

Koutrouss Naddara

Muhammad Shahmeer

Jared Perry

Jay Scott

J.M.Gazzaly

Muhammad Talha Khan

Mazen Gamal Mesbah

Tarek Siddiki

Russel Laurio

Mitesh Patil

Sameer Phad