SECURITY & RELIABILITY
Updated January, 2018
The protection of customer data and privacy is 4me’s number one operational priority.
All information travelling between your browser and 4me is protected with 256-bit TLS encryption. This is the same level of security banks use. The security lock icon in your browser lets you verify that you aren’t talking to a phishing site impersonating 4me and that your data is secure in transit.
The email notifications that 4me sends out to end users, managers and support specialists are also protected with TLS encryption, provided that the email servers of your organization support TLS. 4me’s mail servers support TLS so that all messages sent to 4me are encrypted in transit as long as the email clients set up a TLS connection.
Maintaining a Secure Environment
Access control measures have been deployed at multiple levels to limit access to legitimate users and only to the operations that these users have been authorized to perform.
Access and usage of the 4me service and its hosting environments are continuously monitored in order to identify unauthorized operations and access attempts as early as possible. 4me actively maintains and tests both the hosting environments of the 4me service as well as the 4me application code to prevent security issues as much as practical, and to ensure that security issues which affected the 4me service do not recur.
Apart from the detection mechanisms used for the early identification of possible security issues that may affect the 4me service, response measures are in place to handle such issues if they occur.
Reporting Security Issues
Naturally, we welcome any feedback that can help us make the 4me service more secure. To report a possible security issue that affects the 4me service, send an email to firstname.lastname@example.org.
Please include a detailed summary of the issue you have discovered, as this will allow us to respond more rapidly and effectively to your report. Security issues are given priority over any other incidents that may affect the 4me service (even over incidents that affect the availability of the service) and are handled through a separate procedure. We are committed to safeguarding your privacy throughout this procedure. You can use the 4me Service Security public key at the bottom of this page to encrypt sensitive information sent via email.
After drawing our attention to a potential security issue, you will receive a confirmation via email to confirm that we have received your report. 4me will subsequently attempt to validate and reproduce the reported vulnerability. If additional information is required in order to validate or reproduce the issue, we will work with you as needed to obtain it. When the initial investigation is complete, results will be delivered to you. If the issue cannot be validated, this will be shared with you.
On the other hand, if the vulnerability has been verified, a plan for its resolution and public disclosure will be shared with you. If the vulnerability is found to be caused by a third party software product, 4me will notify this third party. 4me will continue to work with the third party to ensure that a fix gets implemented. Your identity will not be disclosed to the third party without your explicit permission.
4me will coordinate public notification of the validated vulnerability with you. 4me security bulletins are posted within the 4me service. You, or your company, may want to post your advisories on your own web site or in security forums. When possible, we would prefer that our respective public disclosures be posted simultaneously.
Notifying a vendor before publicly releasing information about a security issue is a best practice known as responsible disclosure. Responsible disclosure allows companies like 4me to better protect its customers by fixing vulnerabilities before they are brought to the attention of someone who may want to exploit them. We strongly encourage anyone who is interested in researching and reporting security issues to observe the simple courtesies of responsible disclosure. 4me follows the same practice when it discovers and reports security vulnerabilities to other organizations.
For the protection of our customers, 4me does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases have been implemented. Once a security issue has been fixed, 4me publishes a 4me security bulletin about the issue within the 4me service.
The 4me Service Security public key has an operational life span of three years. When we generate a new public key, it will be made available on this web page.
—–BEGIN PGP PUBLIC KEY BLOCK—–
—–END PGP PUBLIC KEY BLOCK—–