Security and Responsible Disclosure Policy

Keeping your video secure is our highest priority at Iplivecams

Security and Responsible Disclosure Policy

Keeping your video secure is our highest priority at Iplivecams. We have architected Iplivecams so that no matter what network or device you are using, your video is private and secure. We've designed our cameras to communicate only with Iplivecams servers and our servers to communicate only with Iplivecams cameras. We have also set up our system so that all camera and cloud software updates are installed automatically. That means you’ll always have the latest and most secure software on your camera. You don’t need to manage updates yourself other than for the app on your mobile device, as you do for all your apps.

Secure Streaming

Because Iplivecams encrypts video on the camera, your video is secure even if you are on an open or insecure Wi-Fi network. Each camera has its own private key and certificate used to authenticate with the server and derive per-session encryption keys. This means that to compromise a camera the intruder would need that specific camera’s key, which is only stored on the camera itself. Similarly, no matter which Iplivecams client (iOS, Android, and Web) you use, your video stream is encrypted. Iplivecams employs perfect forward secrecy to make each session secure.

Secure Storag

If you are a Cloud Recording customer, Iplivecams uses Amazon S3 for storing your video. Amazon states that it utilizes state-of-the art electronic surveillance with multi-factor access control systems, that its data centers are staffed 24x7 by trained security guards, and access is authorized strictly on a least privileged basis.

If you are not a Cloud Recording customer, we do not store your video. We generate thumbnails for alerts and send them to you, but the thumbnails are never stored.

Privacy

Keeping your data private and protecting your account from unauthorized access are paramount at Iplivecams.

We have strict policies and technical barriers in place to prevent unauthorized access to video data. A very select number of employees (senior engineering leadership) have the ability to access video data only when legally required.

Best Practices

Always install the latest versions of our apps and keep your web browser and Flash plug-in updated.

We do not support any 3rd party applications, and you should never type your Iplivecams username and password into any website or app other than the official Iplivecams website, iOS app, or Android app (which should only be downloaded from Google Play or Amazon).

If you believe one of your devices with the Iplivecams app installed has been compromised, resetting your Iplivecams password will immediately log your account out of all of your devices.

Technical Details

  • AES-128 bit encryption and Transport Layer Security keep video secure from the camera to the cloud and from the cloud to your devices;
  • Clips are only viewable by people who have the hyperlink;
  • We don’t currently support any 3rd party apps;
  • Passwords aren’t stored directly on our servers, encrypted or in plain text. To protect your password, Iplivecams uses a non-reversible slow, salted key-derivation function, as is best practice on the web.

Responsible Disclosure Policy

If you are a security researcher and believe you have found a security vulnerability, we want to hear about it right away. We ask that you give us a reasonable amount of time to respond to your report before making any information public and do not access or modify user data without permission of the account owner and act in good faith not to degrade the performance of our services (including denial of service). If you comply with those requests, we will not take legal action against you.

We are interested in the following areas:

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF/XSRF)
  • SQL injection (SQLi)
  • Authentication/authorization for devices or clients
  • Sharing/public model
  • Remote code execution
  • Data exposure
  • Alert/notification spoofing

Out of scope areas:

  • Denial of Service (DoS)
  • Issues only present in old/end-of-life browsers and old plugins

The Iplivecams disclosure program is managed through Bugcrowd. To see the terms of the program and participate, go to Bugcrowd and sign up as a tester. Iplivecams’s terms of service will be provided at Bugcrowd.com and you will need to accept those terms to engage in testing. If you have identified a vulnerability, please report it via Bugcrowd to be eligible for rewards.

Share:


Other Articles: