Two-factor authentication via Google® Authenticator.
Two-factor authentication via Google® Authenticator.
AES encryption of sensitive data.
Passwords hashed with bcrypt.
HTTPS perfect forward secrecy with strict transport security. A+ rating on Qualys SSL Labs.
We protect against CSRF attacks by sending a unique token along with each request.
We enforce strong passwords on user creation and password change.
Rate limiting of certain actions.
Employees never ever access accounts unless absolutely required and prior consent is given.
Internal intrusion detection notifications for unauthorized access of Commando.io servers.
Our website and application traffic run entirely over encrypted SSL with perfect forward secrecy, Heartbleed, and POODLE vulnerabilities and attacks mitigated (see our SSL Labs Report). In cryptography, perfect forward secrecy is a property of key-agreement protocols that ensures that a session key derived from a set of long-term keys will not be compromised if one of the long-term keys is compromised in the future.
We use HTTP strict transport security to ensure browsers interact with Commando.io exclusively over HTTPS. This means passwords and other sensitive data is never leaked over the network.
In the Commando.io application, server address, SSH port, and SSH username are all AES encrypted in the database. We also rate limit a variety of actions on the site (login attempts, password reset, etc). Rate limiting allows us to thwart brute force attacks and block malicious behavior.
All user passwords are filtered from all our logs and hashed using bcrypt. We don't ever store your password in plain-text. We protect against CSRF (cross site request forgery) attacks by sending a unique token along with each request.
We do not store any credit card information. This data is handed off to Stripe, a company dedicated to storing your sensitive data on PCI-compliant servers.
Employees are required to encrypt their hard drives, utilize strong passwords, and enable screen locking. No Commando.io employees are allowed to access a Commando.io account unless absolutely required and prior consent is given.
We want to keep Commando.io safe for everyone. If you've discovered a security vulnerability, we appreciate your help in disclosing it to us in a responsible manner.
The criteria for disclosing a security vulnerability are as follows:
Publicly disclosing a vulnerability can put Commando.io at risk. If you've discovered a security concern, please email us at security@commando.io. We'll work with you to make sure that we understand the scope of the issue, and that we fully address your concern. We consider correspondence sent to security@commando.io our highest priority, and work to address any issues that arise as quickly as possible.
Please act in good faith towards our users' privacy and data during your disclosure. We won't take legal action against you, or administrative action against your Commando.io account if you act accordingly: White hat researchers are always appreciated.
Our PGP key is below. You may use this key to encrypt your communications with Commando.io. (Unfamiliar with PGP? Have a look at GPG, and start by importing a public key).
Once you've imported our key, you can verify the signature of e-mails we send you by running gpg --verify
.
Key ID: 0C1635A8 Key Algorithm: RSA Key Size: 4096 Fingerprint: 2D43 DE69 F8A8 932C 70EA 3F1C B5BC 292F 0C16 35A8 User ID: "Commando.io Security" <security@commando.io>
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: Mailvelope v0.7.0 Comment: Email security by Mailvelope - https://www.mailvelope.com/ xsFNBFL541EBEACL1XMGi100enHslIwjBFuCxG21vp3nHPz2vmQaKGpob2/4 qmapY+/Ku0ZYEvSF8szH+skloh1jvwcGpzBksB3wF0tdjtbgxUlFMUMF1rxf yJUCR7g0H3hiUc0tra0YNP5vrGF8u0eEIUSi7PomwGQh8tLZ5fyIlVQLH7Fl mOtf3PkX2vsNWwZDZaeqehr9Uv2/8UiLJ412WmD2WuP8Dm9I2h1Yti/0CEP1 fL0xXOJP/OaT38wFYYMTpfFZhXCOEee4H7NVu6guvB2VuULJQIsuAeoBIbnD lCtrmN+36Ezm6bAl2jawhGdi422S9kiUfvBC7/nHsNpDQSD7nyF+aq8uc/aF eT2+cnFMOjPbdEDsa7XKJcUqNi+Ue/tWjoJATlb35Ndxcu2J5TS3J0Jxso9L hvGtTHnsgHUIhkdqhtr5x3r1nUk7zoXMWvjN3xQJX6ERJND9LenZKrNfop9W U1jK45qT0Ae4IM04rNAOReT6o+C/KbihFa7qpfDfRLXPrRTv56ungcQoF9nw i5fBjOVjaXLuKE/Rt/EkSH3cPQ54yKQblcOKoRXrjYxWQXSudyEJkc3JER9a HAnMm4oQQXQmRL9GPdIJ8ijtjZaTNWKaD/L+h3BLqBnvwYV1NGzvlnuJbn12 IdZ18HRjo/F3qg4a6oHPmChwZluyWRLcmPwpbwARAQABzS0iQ29tbWFuZG8u aW8gU2VjdXJpdHkiIDxzZWN1cml0eUBjb21tYW5kby5pbz7CwVwEEAEIABAF AlL542kJELW8KS8MFjWoAAC9kA//VhdArpzVMFczM8vMw9XuoZLk8tjtn6SS GDpDlx/rBmXijXazLM3jy12IQ+dYgFyqiRywnCYD/AarYV9tZ8wYZdi1z9h3 3qK4seEMZ8Cv8ZqiWDShvX1D2n4p5bQFwAy8oLBhYu5hfUcxEOuvtaHjtfMZ c+jKtKs2m6XIbV+BJOJiEYFKXPIKCpxTMmSJbin69m0T1/KE4iaqrb2EurUl dBubHIanlbuF3CGnIU4HURTcE7eXGjTy+whyvFxyZ51asRhXHNZQgxmtM2hB 1vHTg995LiLaH9VA+q0XDRpAONHScR3aU4w0/7yAEBXiGWnwKYv8EbwtQgPI Ex0S9G4NoQq3xAIgW2LqiFzvrD/n7TJFGbu8jbBAMYhTEfa7rUud36Y4C9se HENT6zEBn6utNHeXxupHaBrqgmOVjCiW2esnfM+V4S2M6ep0J6w1d+IsXn7A wtvj0yw7h0bM7zoluFU34oXkUCpEe6NaN3GyoLHsm1brzLQi26XI7dZsyVHs Y2lJOOprnaOvQW/CGDE3ltfUliUUonptUamU9QkJ+UcOe4NjUmxHPrE1wyd9 9sB8ThaexWFIc/6jMmjzE91VmdXi/XYLlXzqx49TeoaZ4fN2FAvmbPA4kqjn VOwpTPUszgtNMag+Zkp1x2oY1rqNng6swa+ljoR5B2E3tmlVQeI= =1GZD -----END PGP PUBLIC KEY BLOCK-----