We take the security of our systems (and indeed the security of the entire internet) seriously.
Our entire system: the website, the API, our developers site and all the extra services we've built to make everything work have been built from Day 1 to be secure and stable. Security best practices are used as widely as possible; we use password managers, we don't reuse passwords, firewalls are in place, user submitted content (including from XHR) are validated and not blindly trusted, we keep software up to date, we regularly purge our database of identifying information (emails, IP Addresses etc), we don't collect more info than we need to, we log and inspect anomalous events, we keep current with security news and trends, so on and so on.
For now, this page is a brief placeholder (as we set up our security.txt file), but we will expand this page soon.
We don't have an official bug or security bounty program at the moment, but if, in normal use of the site, you find a serious security issue, we'd love to send you some vinyl laptop stickers to say thanks.
We believe in responsible disclosure; if you find a problem, please give us time to acknowledge and fix it. We would love to acknowledge your help. If you find a problem, please let us know, we won't be mad.
What we want to know
- if we are leaking information that we shouldn't (particularly about other people who have also used our services) (except for the Unique Browser URLs, which are intended to be shared)
- if there is a way to inject invalid information into our services (for example, the Unique Browser URL system takes an XHR request a few seconds after the page is loaded - it doesn't blindly trust the info, it validates it.)
- if there is a way to access or modify our systems without our consent
What we don't want to know
- DDOSs and the like are not security vulnerabilites, they are just illegal.
- Our passwords are generated by password managers, are at least 32 characters long and are alpha/numeric/symbol based. Don't bother trying to crack them.
Fortunately, no one has found any problems yet.
Reporting security problems
To report security problems, please use our Contact Us page.
If you want to send us encrypted email, our GPG Key is: WhatIsMyBrowser-info.asc
If you have any suggestions or comments, we'd love to hear!
Thanks, and stay safe.