Security Services Provided
-
Log4j / Log4Shell update
Our team is aware of the recent vulnerability in the Java Log4j logging system. Nutshell’s infrastructure has minimal exposure to Java, and upon learning of the vulnerability, we conducted a review of our systems. We have not identified any system which runs an affected version of Log4j, including our Solr and Jenkins infrastructure.
We continue to review our systems to ensure the security of your data, and we will continue to monitor industry security lists for issues like this.
-
Always encrypted
We use bank-grade, 256-bit TLS 1.2 encryption every time you access your Nutshell account, whether it’s via the web or our mobile applications. Your data is encrypted at rest in our databases.
-
Continuous backups
All data is immediately replicated to multiple servers. We also take twice-daily, weekly, and monthly snapshots. Third-party monitoring services immediately page our team with any issue. See live availability updates at status.nutshell.com.
-
Protected financial data
We use a PCI-compliant provider to securely store your billing information. Credit card information is not stored on our servers.
-
Secured passwords
Passwords are encrypted one-way and cannot be accessed by Nutshell staff.
-
Successful CASA assessment
We successfully completed a Cloud Application Security Assessment (CASA) assessment for our web application, validating that we meet the security requirements set out by the App Defense Alliance (ADA).
The requirements include alignment with industry-leading security frameworks and a lack of findings linked to common weakness enumerations (CWEs) with high or medium risk of exploit.
And here are the details for the security pros:
Network security
Our engineering team has experience managing petabytes of data securely and durably. We take the following steps to keep your data secure at rest and as it transits networks.
- Firewalls, VPNs, modern Linux operating systems, conservative network and security group configuration
- Encryption at rest
- VPNs to secure employee access and encrypt all data that transits Internet links
- Nutshell passwords are salted and one-way hashed. Our staff cannot access or see your password
- Login pages are protected against brute-force attacks
- We follow industry security lists and promptly patch critical issues (we patched Heartbleed within hours)
- We use a multi-tenant data storage architecture. Customer data is stored in discrete silos per account, to isolate and protect your data
Operational security
Our support team is based in-house with our Ann Arbor engineering team. We will only access your account with your permission to troubleshoot support issues. Staff will never ask for your Nutshell password.
- All staff computers run with full-disk encryption and strong passwords
- We limit our internal network’s exposure to Windows
- Every Nutshell employee receives a copy of 1Password on their first day
- Offices are secured with individual keycard access
Financial security
Your credit card and billing information is stored securely. Our billing provider is PCI-compliant and managed separately from Nutshell application systems.
Passwords
Nutshell uses one-way hashing to securely store a representation of your password. We cannot retrieve a password — you must use our forgotten password tool in conjunction with your email address to recover your password. It is your responsibility to keep your Nutshell email address up-to-date.
It is your responsibility to choose secure passwords and to keep them safe. Nutshell cannot be responsible for data that is compromised due to an insecure or stolen user password. If you are authenticating with Nutshell via a third-party (e.g., Google Apps), those passwords must also be secured.
Responsible disclosure
If you are a security researcher or you believe that you have encountered a problem in Nutshell’s security, please review the following notes.
Nutshell does not offer a bug bounty program to pay for reports.
Please report any security concerns to security@nutshell.com. If you need to send an encrypted message, you can find it on Keybase.
We ask that you give us a reasonable amount of time to respond to reports before making information public.
Please do not conduct any security research that could result in the destruction of data, interruption or degradation of service. This includes the use of automated tools or scanners: they are likely to cause your IP address to be banned.
We don’t accept responsible disclosure reports around the following issues:
- Iframe / UI redress issues related to X-Frame-Options headers
- HSTS implementation
- User-provided password strength
- SPF, DKIM and DMARC configuration issues
- User enumeration issues (we utilize rate limiting to protect our users)
- Presence of banner or version information
Acknowledgments
We’ve received disclosures from many individuals and organizations to make Nutshell a more secure place. You can read about them here.