Security
We treasure the security and privacy of our users, especially as we understand the importance of both when it comes to your email.
Triage is an iOS application that runs on your device. There is no separate server component. The content of your email stays on your device, 100% of the time.
In order to provide secure synchronisation across devices we use services from Apple:
- CloudKit (which requires iCloud and iCloud Drive to be enabled) is used to store and synchronise account names, your preferences and currently selected account. This information is not visible to anyone at Triage, and in the vast majority of cases is end-to-end encrypted and therefore not visible to anyone at Apple. You can read more in Apple’s CloudKit security page or their end-to-end encryption page.
- Credentials used to access your account are stored in the secure Keychain on your device. These credentials will only sync if you have iCloud Keychain enabled. If iCloud Keychain is not enabled, credentials will never leave your device.
We use some 3rd party services in order to help us develop Triage and improve the application. We don’t send any identifying data to these services.
- RevenueCat provides us with billing and subscription management.
- We use BugSnag to track errors and crashes, so we can make the application more stable.
- We use Mixpanel to track some simple, non-identifiable analytics that we can use to focus our efforts and improve Triage.
If you have any concerns or questions about any of this, please feel free to get in touch.
Responsible Disclosure
The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users.
Guidelines
We require that all researchers
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
- Perform research only within the scope set out below;
- Use the identified communication channels to report vulnerability information to us; and
- Keep information about any vulnerabilities you’ve discovered confidential between yourself and Triage until we’ve had 90 days to resolve the issue.
If you follow these guidelines when reporting an issue to us, we commit to:
- Not pursue or support any legal action related to your research;
- Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission);
- Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.
Scope
The “Triage 2” iOS Application.
Out of Scope
Any services hosted by third-party providers and services are excluded from scope.
In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:
- Findings from physical testing such as office access (e.g. open doors, tailgating);
- Findings derived primarily from social engineering (e.g. phishing, vishing);
- Findings from applications or systems not listed in the ‘Scope’ section;
- UI and UX bugs and spelling mistakes;
- Network level Denial of Service (DoS/DDoS) vulnerabilities
Things we do not want to receive:
- Personally identifiable information (PII);
- Credit card holder data
The following finding types are explicitly excluded from our program:
- CSV Injection
- Open redirects
- Login/logout CSRF
- Missing cookie flags on non-sensitive cookies
- Presence of autocomplete attribute on web forms
- Attacks requiring physical access to a user’s device
- Fingerprinting/banner disclosure on common/public services
- Mail configuration issues including SPF, DKIM, DMARC settings
- Disclosure of known public files or directories (e.g robots.txt)
- Use of a known-vulnerable library (without evidence of exploitability)
- Vulnerabilities affecting users of unsupported or outdated browsers or platforms
- Any access to data where the targeted user needs to be operating a rooted mobile device
- Password and account recovery policies, such as reset link expiration or password complexity
- Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)
- Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)
- Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages
How should I report a security vulnerability?
If you believe you’ve found a security vulnerability in Triage please send it to us by emailing security@triage.cc. Please include the following details with your report:
- Description of the location and potential impact of the vulnerability;
- A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and
- Your name/handle and a link for recognition in our Hall of Fame.
If you’d like to encrypt the information, please use our PGP Key:
- Key ID: CFF3932CB727101D
- Fingerprint: 83FBDB0D68561DC90C391303CFF3932CB727101D
We are an early stage startup with a limited budget, so we are unable to pay bounty at this stage. We will consider offering service credits for any serious vulnerability that is responsibly disclosed.