We take privacy very seriously and follows practices to ensure the security of user data. All user data is encrypted in transit and at rest, and all user interactions with the system are protected by authentication protocols. Additionally, Flusk Vault maintains rigorous internal policies and procedures to ensure that user data remains private and secure.
To do so, we:
Mainly use and collect publicly accessible data to perform security tests. This is done by fetching the public JSON application file of your app, which only contains information on its structure.
Never access, fetch or copy any data from your app's database. You can also remove the database access to Flusk.
Require all app owners to verify their ownership, making it impossible to use Flusk Vault for identifying vulnerabilities on other apps.
Avoid using customer data for security tests whenever possible. In most cases, we only use the JSON application file to review items. For example, when reviewing if a database field is sensitive, we first assess it based on its field name and context.
Never store customer data on our server, they are deleted immediately upon check.
How does Flusk Vault work?
Scraping public data
The main thing we use in order to analyze your application is scraping the public App JSON Object on all your pages. This is basically how the tool works:
First API call to get all the pages of your application
Fetch the JSON Object of each page
Analyze the public content of each page
Analyze the public global properties of your app
This allows for extraction of all the front-end data (that is public and viewable by everyone) as a JSON object that we pass to our algorithm. Once your data is inside our back end, we will analyze it and look for security vulnerabilities on every single page of your app.
Verifying ownership
In order to ensure the proper installation and functionality of Flusk Vault, we kindly request that you grant access to our internal account, [email protected]. This is necessary for two main reasons.
Firstly, verify that you are the rightful owner of the application and prevent any unauthorized access.
Secondly, to process confidential data such as API Tokens, privacy rules, and cookie exploits, as well as to provide access to features that are not yet publicly available.