We try our best to keep up with industry standards and ensure that we always improve our security.
Our ongoing effort is to harden our systems and improve our services.
We always are eager to improve and if you found something, let us know!
We are thankful for any information about a possible vulnerabilities in our systems, products or services.
If you believe you found something, don't hesitate and contact us at email@example.com and get in touch with us.
In order to verify it we appreciate if we get information like a proof of concept, tools used and whatever information might be useful for this report.
Once verified and depending on the scale we will notify users and keep updates about the issue as they arrive.
Unfortunately we can't give a bounty reward in cash, but publicity (if you want) and other UGX-Mods benefits might be rewarding to you as well.
Since May 25th 2018 the new General Data Protection Regulation (GDPR) is effective.
UGX-Mods tries it's best to comply with it and inform consumers about their rights.
In our customer favor, every consumer regardless of his residency will be treated equally and receive the same improvements and tools to enhance their privacy and consumer rights.
As a tiny team which is based on volunteer work it's impossible to upkeep and maintain the same standards as bigger companies.
Nevertheless UGX-Mods is dedicated and optimistic to ensure a secure system and mechanism to protect and secure consumers rights and data.
Data Security and Privacy
We use SSL/TLS (https://) only on our products and services. (some legacy products might still use https but will be deprecated by the end of 2018!)
You can view our latest SSL Labs Report here: https://www.ssllabs.com/ssltest/analyze.html?d=www.ugx-mods.com&latest (A+ is the highest possible grade)
Most of the user data is kept until the account will be deleted.
We store certain log data longer (like bans, security alerts) for investigation and fraud detection.
Other log data (like application errors) will be truncated after 90 days or sooner.
All customer data stored is eradicated upon a customer’s termination of service and deletion of account after an manual investigation to prevent accidental cancellation / fraud.
Data can also be usually deleted in for each product & service in the settings.
We always make sure to use the latest stable version of external dependencies.
Common practices are used to ensure that accounts can't be easily hijacked.
We plan to integrate 2FA (two factor authentication) and notifcations about authentications from a new IP. Due to limited resources an estimate is not possible.
We send out emails with our own mail server and via SparkPost (https://www.sparkpost.com/policies/security/).
We use Sender policy framework (SPF), DomainKeys Identified Mail (DKIM) and domain-based message authentication, reporting, and conformance (DMARC) set up for monitoring reports to prevent the possibility of phishing scams.
Physical Access Control
Our servers are located in OVH data centers. More information is available here: https://www.ovh.com/world/about-us/security.xml
Logical Access Control
Access to our servers is kept to a minimum of administrators with private key over an encrypted connection.
Intrustion Detection and Prevention
At the moment we only have basic systems in place to block bruteforce.
We plan for 2018 to implement properly IDS services on all our servers.
Due to our small team we are not able to do or get any penetration testing at the moment done. If UGX-Mods grows we are eager to improve here.
We do a security audit at least once a year with various tools to ensure that our systems are following best practice.
3rd party external audits are due to the small team size and scope not possible at the moment.
We create weekly full backups and each day incremental backups. Those will be encrypted based on industry standards and mirrored to other dedicated servers under our control.
We have an internal wiki about security and best practice to ensure members of UGX-Mods are up-2-date with security information and workflows.