docs > Security

Overview

We protect your information from security threats using:

  • Firewalls: We use CloudFlare's Web Application Firewall in front of all page and API endpoints.
  • Strong authorisation and authentication: We use rotating and securely stored API keys to connect to data stores, multi-factor authentication for all administrative access, strong user passwords and cryptographically random account access tokens.
  • Supply-chain validation: We run GitHub's Dependabot on all of our source code to detect vulnerable dependencies, and we update all identified vulnerable packages (or implement a mitigation where an update is unavailable) within 72 hours of being alerted.
  • Secure software development: We develop software securely, including scanning all our source code with SonarCloud, following the OWASP Top 10, using mature web application frameworks, running a high level of automated testing coverage and including security-focussed test cases as core business practice. We patch any identified vulnerabilities within 24 hours of their identification.
  • Backups: We store daily shapshot backups of all customer data in both online and offline locations, transferring them only over encrypted connections, and regularly testing our restoration process.

Special note regarding CVE-2021-33026
CVE-2021-33026 is a CVE lodged against all current versions of the Flask-Caching Python package, which dnstwister uses. No patch is currently available for this package. We have assessed both the vulnerability and our use of the package and can confirm dnstwister is not vulnerable to the issues outlined in this CVE.

Privacy statement

We handle your information as outlined in our Privacy Statement and store only the absolute minimum information about our customers needed to facilitate the running of our service.

Software Bill Of Materials (SBOM)

dnstwister relies on a number of open source software dependencies. For the purposes of improved security and transparency for our customers, we are publishing that list here in CycloneDX format.

CycloneDX SBOM

Security contact

See security.txt.