Security Policy

Introduction

Deploying More Capital is committed to maintaining robust security policies and practices to ensure compliance with applicable laws, regulations, and contractual obligations. Our focus is on safeguarding the confidentiality, integrity, and availability of data, reinforcing the trust of those who engage with our services.

Policies

Our security policies extend to all employees (full or part-time), interns, and contractors. These policies, approved by the leadership committee, undergo annual reviews. Covering various aspects such as change management, third-party vendors, acceptable use, and risk management, these policies form the backbone of our security framework.

Authentication and Authorization

All user accounts mandate complex passwords (minimum of 10 characters) and Multi-Factor Authentication (MFA). Access to resources follows the principle of least privilege, with permissions granted through a change management process. Unnecessary access is promptly revoked.

Trainings

New hires undergo initial security training, while all employees receive monthly security micro-trainings on rotating topics. Regular educational phishing simulations help reinforce awareness. Additional trainings are conducted as needed, ensuring a proactive approach to security education.

Environments

Testing and production environments remain logically separated, with corporate users having no access to either. Each boundary is protected by firewalls limiting ports and services to essential functions. Access to different environments is strictly based on business necessity.

Change Management

A comprehensive change management process governs all alterations to production and sensitive access grants. The process enforces separation of duties and includes a review of all requests, regardless of approval status. An emergency process for urgent after-hour changes is also in place.

Email Security

An email firewall scans for malware in attachments and blocks suspicious emails. The email server negotiates encryption with the sender’s server, if supported. Employees can report phishing emails with a designated “report phishing” button.

Vulnerability Scanning

Monthly scans of the production infrastructure identify vulnerabilities, which are addressed based on criticality level.

Encryption

Data classified as confidential or above is encrypted at rest (AES-256) and in transit (TLS 1.2 or above).

Vendor Management

Vendors handling confidential or above data undergo a risk evaluation by our Security Team. Vendor security postures, terms of service, and privacy practices are thoroughly assessed.

Bug Bounty Rules of Engagement

Deploying More Capital encourages security researchers to enhance our security posture through ethical testing. The bug bounty program focuses on specific domains and vulnerabilities, with clear guidelines on allowed and disallowed activities.

Allowed Activities

1. Scoped domains limited to deployingmorecapital.com.
2. Vulnerabilities within the bug bounty program’s scope, including server-side flaws, authentication flaws, cross-site scripting, cross-site request forgery, directory traversal, misconfigurations, and insecure cipher suites.

Prohibited Activities

1. Privacy violations, performance degradation, or data modification/destruction.
2. Unauthorized access to internal systems.
3. Repeated network requests for DDoS or rate limiting testing.
4. Social engineering attempts.
5. Testing from countries on the US sanctions list.
6. Vulnerability disclosure to third parties.

Non-Payment Cases

1. Non-security related bugs.
2. Vulnerabilities outside the scoped websites.
3. Vulnerabilities in third parties or known vulnerabilities.
4. Bugs that require employee interaction.
5. Nuisance exploits not posing a security risk.

Payment Process

Receipt confirmation within one business day, followed by a 5-business-day validation period. Payments issued once the vulnerability is closed and confirmed by the reporter or within 30 days, whichever comes first.

Payment Range

Between $50 and $1,000, depending on the severity of the vulnerability.

Submission Requirements

1. Reproducible vulnerabilities with clear and complete steps.
2. Single vulnerability per report, including a detailed summary, description, proposed severity, steps to reproduce, browser info, affected URLs, console logs, and screenshots.
3. Limited vulnerability scanning to a maximum of 5 requests per second.
4. Full name, country of residence, and security credentials summary required.

Legal Notice

Restrictions on issuing rewards to individuals on sanctions lists or residing in specific countries. Individuals are responsible for tax implications. The program is experimental, subject to cancellation at any time, with reward decisions entirely at our discretion.

Ethical Testing Guidelines

Testing must not violate any laws or compromise data not owned by the tester. No conflicts of interest are tolerated, with rewards withheld for employees of Deploying More Capital companies.

Deploying More Capital is committed to maintaining the highest standards of security, continuously evolving our practices to meet emerging threats. We invite ethical security researchers to collaborate with us in creating a safer digital landscape.