Security
Last updated on October 29, 2024
At 1099Policy Inc., we are committed to protecting your information through robust security measures and clear policies. Below you will find detailed information on our security practices and how we handle vulnerabilities.
Security Disclaimer
Our comprehensive security program is designed to protect customer data, ensure regulatory compliance, and foster trust.
Data Protection Measures
Encryption at Rest and in Transit: All customer data is encrypted using industry-standard AES-256 encryption while stored and secured via TLS 1.2+ during transmission.
Access Controls: We implement strict role-based access controls to ensure that only authorized personnel can access sensitive information.
Secure Cloud Infrastructure: Our platform is hosted on secure cloud services that comply with top-tier security standards, providing redundancy and resilience against data loss.
Continuous Monitoring and Regular Audits
Threat Detection: We continuously monitor our systems using advanced security tools to detect and mitigate potential threats.
Regular Security Assessments: We conduct frequent internal and external security evaluations to identify and address vulnerabilities promptly.
Compliance with Industry Standards
Aligned with SOC 2 Type II: 1099Policy Inc. aligns its practices with the SOC 2 Type II framework, demonstrating our commitment to maintaining high levels of security, availability, and confidentiality of customer data.
Aligned with ISO 27001: We follow the ISO 27001 standard for information security management systems, ensuring a systematic approach to managing sensitive information.
GDPR Compliance: We comply with the General Data Protection Regulation (GDPR), ensuring the privacy and protection of personal data for our users in the European Union.
Data Governance: We maintain comprehensive data governance policies to manage the lifecycle of your data securely and transparently.
Customer Responsibilities
We believe in a partnership approach to security. As a user of 1099Policy Inc.'s services, you acknowledge and agree to the following responsibilities:
Account Security: You are responsible for maintaining the confidentiality of your account credentials. Please ensure your password is strong and not shared with others.
Authorized Use: Ensure that only your authorized personnel access and use our services, and such use complies with our terms and conditions.
Content Responsibility: You are responsible for all content posted and activities that occur under your account, including content posted by others who may have access to your account.
Compliance with Laws: Use our services in compliance with all applicable laws and regulations. Do not use our platform to infringe upon the rights of others or engage in unlawful activities.
System Requirements: Be prepared to make any necessary changes to your systems to support the delivery and operation of our services.
Prohibited Activities
To maintain a secure and trustworthy environment, you agree not to engage in activities that:
Illegal Use: Violate any applicable laws or regulations.
Security Breaches: Attempt to breach or circumvent security measures, access data not intended for you, or probe the vulnerability of our systems without authorization.
Unauthorized Access: Use another user's account without permission or share your account credentials with unauthorized individuals.
Malicious Actions: Introduce viruses, worms, or other malicious software into our systems.
Service Disruption: Interfere with or disrupt the integrity or performance of our services.
Spam and Harassment: Send unsolicited messages, engage in phishing, or harass others through our platform.
Privacy Violations: Use our services in a manner that infringes upon the privacy rights of others.
Vulnerability Disclosure and Bug Bounty Program
At 1099Policy Inc., we value the efforts of security researchers and the wider community in helping us maintain a secure platform. To encourage responsible disclosure of security vulnerabilities, we have established a Bug Bounty Program.
Scope of the Program
In-Scope Systems
Our Bug Bounty Program applies to the following assets:
Main Website:
www.1099policy.com
User Platform:
dashboard.1099policy.com
API Services:
api.1099policy.com
Out-of-Scope Systems
The following are out of scope for this program:
Third-party services and applications.
Staging and development environments.
Any systems not explicitly listed under "In-Scope Systems."
Eligible Vulnerabilities
We are interested in receiving reports for the following types of vulnerabilities:
Authentication Bypass
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
SQL Injection
Remote Code Execution
Privilege Escalation
Leaked Credentials, Passwords or Secrets
Business Logic Leading To Critical Vulnerabilities
Significant Security Misconfigurations
Excluded Submission Types
The following are not eligible for rewards:
Denial of Service (DoS) attacks.
Spam or social engineering techniques.
Phishing schemes.
Physical security breaches.
Clickjacking on pages with no sensitive actions.
Missing security headers without a demonstrable impact.
Vulnerabilities requiring root/jailbreak devices.
General best practice issues without a proven security impact.
Research Guidelines
To ensure the safety and privacy of our users, please adhere to the following guidelines during your research:
Act in Good Faith: Use your skills responsibly and ethically to improve our security.
Non-Disruptive Testing: Avoid actions that could harm the reliability or integrity of our services, such as automated scanning or denial-of-service attacks.
User Privacy: Do not access, modify, or delete data that does not belong to you. Use test accounts for research purposes.
Limited Scope: Focus your testing on the in-scope systems and avoid any interaction with out-of-scope systems.
Confidentiality: Do not disclose any vulnerability details to third parties or the public before we have resolved the issue.
Compliance with Laws: Ensure your activities comply with all applicable local and international laws.
Reporting a Vulnerability
If you discover a security vulnerability in our platform, please report it promptly by emailing security@1099policy.com with the subject line "Bug Bounty Submission." Include the following in your report:
Description: A clear and detailed explanation of the vulnerability and its potential impact.
Reproduction Steps: Step-by-step instructions to reproduce the issue, including any necessary proof-of-concept code.
Supporting Evidence: Relevant screenshots, logs, or any other evidence that supports your findings.
Your Contact Information: Your name and a method of contact for any necessary follow-up.
Our Commitment to You
We appreciate your contributions and are committed to:
Prompt Acknowledgment: We will acknowledge receipt of your report within 72 hours.
Fair Evaluation: Our security team will investigate and validate the reported vulnerability.
Transparent Communication: We will keep you informed about the status of your report and our remediation efforts.
Recognition and Rewards: If your submission is valid and leads to a code or configuration change, you may be eligible for a monetary reward based on the severity of the vulnerability.
Reward Guidelines
We offer monetary rewards for valid vulnerabilities based on their severity:
Low Severity: $100
Medium Severity: $250
High Severity: $500
Critical Severity: $1,000
Note: The final reward amount is at the discretion of 1099Policy Inc. and is based on the impact, complexity, and quality of the report.
Safe Harbor Statement
Your security research is important to us, and we are committed to working with you to address vulnerabilities. If you comply with this policy and act in good faith:
Legal Protection: We consider your activities to be authorized and will not initiate legal action against you for your research.
Authorization under CFAA: We consider your research to be authorized under the Computer Fraud and Abuse Act (CFAA) and similar laws.
No Restrictive Actions: We waive any restrictions in our Terms of Service that would prohibit your participation in this program.
Support Against Third-Party Actions: If legal action is initiated by a third party against you for activities conducted under this policy, we will make it known that your actions were authorized and in compliance with this policy.