• Home
    • Working with Pugpig
    • Pugpig Policies

    Cybersecurity

    Written by Jon Marks

    Updated at November 13th, 2024

    • Pugpig Bolt
      Bolt apps Content and Workflows Bolt CMS Pugpig Distribution Service URLs, Domains and Linking Bolt Search Authentication and Subscriptions Bolt Analytics Push notifications Bolt Release Notes Debugging Advertising App stores Consent management Bolt third party integrations
    • Pugpig Site
      Site Search URLs, Domains and Linking Content Management System Analytics SEO Advertising Consent Management Platform Site Release Notes Debugging Authentication and Subscriptions
    • Pugpig Archive
    • Working with Pugpig
      Pugpig Support Releasing new versions Pugpig Packs & Agreements Pugpig Policies
    • Pugpig Consulting
    + More

    Table of Contents

    Cyber Security at Pugpig Security Measures Penetration Testing Native App Security User Data Policy Notification of Breaches Exceptions

    Cyber Security at Pugpig

    We take security seriously at Pugpig. We host content for some of the world's highest profile media brands, and we treat it accordingly.


    Security Measures

    Some of the measures we have in place are:

    • We run Amazon GuardDuty across all of our systems

    • We run many AWS Web Application Firewall Rules

    • We do not have a local network, or own any servers. Everything is on AWS which reduces the number of attack vectors

    • We automatically patch our servers and Wordpress installations with any security patches. We would rather risk downtime than have vulnerable systems

    • We advise all of our customers that have a dedicated Pro/Site server to provide us with the IP ranges which we can use to lock down CMS access 

    • Our CMS servers do not take consumer traffic. Everything is served by our Fastly CDN

    • All our systems will only use HTTPS (with A+ certificate ratings from SSL Labs)

    • We limit access to our production systems to only the staff that need it

    • We store all passwords securely in 1Password, and any sensitive information given to us by customers should be done in an encrypted way using www.keybase.io

    • For customers that do NOT provide a PKCE flow for login, we do proxy the username and password through our servers. We only allow HTTPS POSTS for this, and do not store or log any of these details.

    Penetration Testing

    We encourage our customers to run penetration tests - it helps us harden our systems. We normally have this happen between 1 and 3 times a year. If you wish to run one, please do let us know as we need to inform Fastly and supply them with information. To find out more, please see this doc.

    Native App Security

    Here is an FAQ about approaches in the native applications.

    What technology do you use for the Bolt native apps?

    The apps are written natively using Swift (iOS) and Java (Android). We do not use cross-compiling frameworks. We do use embedded native webviews to render timelines and content as we believe HTML and CSS give publishers more flexibility in the content of their presentation and embeds in this way. We  use the recommended secure web views for any sensitive user login/registration screens using the PKCE flow.

    Do you do an Application Integrity Check?

    We do not. Our apps only run on mobile platforms which require code signing, we get both of these for free, as we sign our code and the platforms will not run code if the signature fails, which would happen if the binary was changed in anyway.

    Do you use Code Obfuscation?

    We do not. Our approach to security treats end-user devices as completely untrusted. We perform all authorisation/entitlement checks server-side only, on trusted hardware within our control. We also abide by NIST’s recommendation that “System security should not depend on the secrecy of the implementation or its components.” See TETRA:BURST for a recent high-profile example of failure of security through obscurity.

    Do you use Certificate or Public key pinning?

    We do not use certificate pinning.

    Do you provide an In-App Keypad?

    No. We use only the Operating System's user input.

    Do you use Device binding, linking mobile device information to mobile application?

    We do not attempt to read unique device information, as this is not allowed by the platforms. Our advertising integrations, if used, may use unique ad tracking information, but only with end-user consent. Entitlement concurrency can be managed server-side by limiting the number of concurrent refresh token streams.

    Do you do Detection and block of rooted or jailbroken mobile devices?

    We do not do such detection. We treat all end-user devices as untrusted. (See also above.)

    User Data Policy

    Note that we never store any end user data on any of our systems, so there is no risk of a user data breach. The only content we store is the ready to publish editorial content. Our biggest risk is the defacement of a publication or website. This has never happened in our 10 years of operation, but we remain vigilant.

    Notification of Breaches

    If any breach or failure should occur, customers are notified via our Status Page (to which you can subscribe) at https://status.pugpig.com/


    Delete

    Exceptions

    Some of our very old Pro Servers do not have HTTPS:// certificates. We are in the process of phasing these out.


    Was this article helpful?

    Yes
    No
    Give feedback about this article

    Related Articles

    • The Pugpig roadmap, and why you can't see (all of) it
    • How we prepare for new versions of iOS and Android
    • Why we drop support for OS versions
    • Known major issues and crash reporting
    pugpig logo white
    Navigation
    • Products
    • Customers
    • News
    • Podcast
    Contact
    • Contact us
    • LinkedIn
    • Twitter
    Technical Support
    • Status Page
    • Documentation
    • Customer Support
    Corporate
    • Company
    • Jobs
    • Privacy Policy

    © Kaldor Ltd. 2022

    Powered by Pugpig


    Knowledge Base Software powered by Helpjuice

    Expand