Security at Bunnyshell

Security Overview

At Bunnyshell, data security is a critical aspect and we recognize the importance of collaborating with proficient security researchers to detect any vulnerabilities in our technology. If you come across any security vulnerability in Bunnyshell's service, please do not hesitate to inform us so we can take prompt action and address the issue together.

Data Security

Bunnyshell encrypts data at rest and in transit for all of our customers. We use tools like Hashicorp Vault to manage encryption keys for security in line with industry best practices.

Application Security

Bunnyshell regularly engages security experts for third-party penetration tests. Our penetration testers evaluate the running application, and the deployed environment.

Bunnyshell also uses high-quality static analysis tooling provided by Snyk to secure our product at every step of the development process.

Infrastructure Security

Bunnyshell uses Amazon Web Services to host our application. We make use of the security products embedded within the AWS ecosystem, such as GuardDuty.

Responsible Disclosure Policy

Last Updated: January 20, 2023

Disclosure Policy

• If you believe you've discovered a potential vulnerability, please let us know by emailing us at security@bunnyshell.com. We will acknowledge your email within one week.
• It is prohibited to keep, distribute, expose or destroy Bunnyshell or customer data. If you come across any Personally Identifiable Information (PII), you should stop your activity, delete the related data from your system, and immediately inform Bunnyshell.
• Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Bunnyshell service. Please only interact with accounts you own or for which you have explicit permission from the account holder.
• Before sharing any reported issue with a third party or disclosing it publicly, allow Bunnyshell a reasonable amount of time to rectify the issue.

Excluded Vulnerabilities

Our Responsible Disclosure Program has certain vulnerabilities that are not included in its scope.

• Denial-of-Service (DoS) attacks
• Social engineering or phishing of Bunnyshell employees or contractors
• Any attacks against Bunnyshell's physical property
• Resource exhaustion attacks
• Spamming

This policy applies to Bunnyshell Application hosted at environments.bunnyshell.com and to any other subdomains or services associated with the Bunnyshell App. We do not accept reports for vulnerabilities solely affecting our marketing website (www.bunnyshell.com) which contains no sensitive data.

Submission format

When submitting a report of a possible vulnerability, kindly provide a comprehensive summary of the vulnerability, including the target affected, steps taken, tools used and any relevant evidence (screenshots are highly appreciated).