Security

Important security information regarding Compose, Inc., an IBM Company.
Last Revised: July 23, 2014

Need more help?Contact Support

Compose's Security Policy

How to Report a Security Problem

If you feel the issue is urgent or has some sensitive element involved, please send your report directly to security@compose.io. To ensure confidentiality in the reporting process, please use our public key. Doing this will also give us a secure way to respond to your concerns, usually within 24 hours.

If your issue isn't urgent or sensitive, you should submit a support request where it will be handled through our normal support processes.

How We Manage Security Issues

To keep up with the latest in web security and to ensure our defences are effective, we work with security researchers. If you are a security researcher who is aware of a web security flaw that may affect our platforms and products, please let us know. Submitted reports will be…

1. Acknowledged

We will inform you of the best way to keep track of the issue.

2. Investigated

We will look into the issue and work out how it affects our systems. Although we won't disclose the issues until the investigation is completed, we will work with you so that all involved fully understand the issue.

3. Credited

We will publicly thank the reporter for discovering and helping us correct a security issue on this page.

Our products are built on a wide range of technologies and issues reported may be an issue with one of those technologies. Where that is the case, we will work with the communities and companies behind those technologies to ensure that they are protected from the same issue and avoid a situation where early public disclosure leaves others at risk. With that in mind, we ask for your understanding and patience in advance and assure you that is such a step is necessary that we will keep you informed.

4. Excluded Reports

Only noteworthy reporting is eligible for acknowledgement on the site. The following classes of report are ineligible:

  • Reports from automated tools, scripts and tools - Many tools are noisy and generate false positives. If you believe that you have found an issue, to be noteworthy the problem must be accompanied by details of a practical exploit to eliminate those false positives.
  • SSL cipher issues - We only accept cipher issues as noteworthy if they are accompanied with details of a practical exploit leveraging that cipher issue.

Big Thanks

We'd like to thank the following security researchers and companies whom have worked with us to keep Compose as secure as possible by finding, fixing, and responsibly disclosing security flaws:

  • Matasano
  • iSEC Partners
  • Buffer
  • Nishant Raj
  • Kamil Sevi
  • Swapnil A. Thaware
  • Jitendra Jaiswal
  • Ahmed Jerbi (Web Plus)
  • Milan A Solanki
  • Satheesh Raj (@rsatheesh523)
  • Joel Melegrito (@Superngorks)
  • Madhu Akula
  • DJ (WritingOddity)
  • C Vishnu Vardhan Reddy (Vishnu_dfx).
  • Jan Kulinski, MetricWire
  • Dan Gilkerson
  • Shawar Khan
  • Ahsan Khan
  • Raja Uzair Abdullah
  • Yeasir Arafat

Still need some help?

If this page doesn't answer your questions, summon a human and ask away!