Security

Security At UREEQA

UREEQA takes security very seriously - it is at the core of not only the traditional security of our infrastructure, but also on the blockchain. Creators are trusting us with their creations, and we do not take that trust for granted.

Infrastructure Security

UREEQA’s platform is hosted by Amazon Web Services. We make full use of the security products embedded within the AWS ecosystem. We deploy our platform using containers run on AWS Managed Services. This allows us to not manage the servers or EC2 instances in production; we rely on AWS for this.

Platform Security

The UREEQA platform uses best-in-class tools to ensure our platform is secure against intrusion.

Data Security

UREEQA utilizes best practices to protect our data at rest and in transit. We further minimize risk by capturing minimal data on our users. Our data security utilizes hardware and software techniques to keep our clients’ data private and secure.

Blockchain Security

UREEQA utilizes security-hardened open-source technologies along with industry best practices to create all our smart contracts. Our smart contracts were designed and created by our own CSO, Dr. Jonathan Shahen, who received his PhD from the University of Waterloo. Our contracts are constantly monitored, and transactions are audited for suspicious activity.

Security Certifications

We are preparing to go through an audit for SOC 2 attestation and we will update this page as we go through the process.

Bug Bounty Program

UREEQA’s Bug Bounty program provides an avenue for security researchers to responsibly report certain types of bugs and vulnerabilities within our website. In this program, UREEQA pays researchers based on the severity of the bug and provides compensation with our own URQA token. The payment amount is converted from CDN dollars to URQA on the day of payment. Researchers must have an ERC-20 compatible wallet to participate in the program.

Researchers must also be over the age of 18 or be the age of majority in the jurisdiction in which they live. We also provide a safe harbor provision, providing peace of mind to good-faith testers.

The following are items that are not in the scope of our Bug Bounty program.

  1. Attacks that require root access to a user’s computer
  2. Attacks that involve high-volume distributed requests
  3. Attacks that require Man in the Middle (MITM) decryption of HTTPS
  4. Email Phishing that does not impersonate (@ureeqa domain)

Anything else is open for testing!

To report a bug email [email protected]. Please send one email per bug and provide the type of issue, description of the issue, date and time the issue was discovered, and step-by-step instructions to allow UREEQA to reproduce the issue. Please do not provide screenshot if sensitive data is visible.

We diligently investigate all bug reports, so please be patient. Our replies can take up to a week or even longer depending on the volume of reports and the complexity of the issue. We ask that you not email repetitively for updates. We will respond.

If you have any questions related to the Bug Bounty program, email us at [email protected].

Disclaimer: UREEQA will work to provide a response as soon as possible, however, we will not accept any demands or threats. UREEQA will determine the severity of the issue presented and will determine the bounty. If a researcher makes threats or demands they will be removed from the bug bounty program and will no longer be protected by our safe harbor policy.