Skip to main content

Security

Security is a top priority for us. Here are some details on what you can expect from our services and how we maintain a high level of security at Skywalk API.

Encryption of All Data and Communications#

Skywalk API uses the industry standard AES-256 encryption algorithm to encrypt all data at rest in our database. We store sensitive data, like account passwords, and all data retrieved from your AppFolio® account with additional layers of AES-256 encryption using per-tenant encryption keys. Even gaining authenticated access to our database does not allow decryption of this sensitive data.

Data is also encrypted in transit using industry-standard HTTPS & TLS 1.2.

HTTPS and HSTS for Secure Connections#

Skywalk API requires HTTPS for all services including our API, public website, and dashboard. We regularly audit the details of our implementation, including the certificates we serve and their details.

For your security, API calls made over plain HTTP will be rejected.

Infrastructure#

We routinely audit every component of our infrastructure to ensure that Skywalk API meets industry standards for security. Our infrastructure primarily resides inside of US-based Amazon data centers, and leverages Virtual Private Clouds to regulate access to integral components.

Vulnerability Disclosure and Reward Program#

Skywalk API maintains a private, invite-only bug bounty program. While those who are not invited may still submit a security bug or vulnerability to Skywalk API, such reports may not be eligible for a payment. To request an invitation please email security@skywalkapi.com.

By submitting a security bug or vulnerability to Skywalk API, you acknowledge that you have read and agreed to the Program Terms and Conditions set forth below. By submitting, you agree that you may not publicly disclose your findings or the contents of your submission with any third parties without Skywalk API's prior written approval.

Submit Vulnerabiity#

You are about to submit a report to Skywalk API. Detailed and quality reporting is important to us. You must also include a working Proof of Concept.

Submit a vulnerability via email to security@skywalkapi.com

Program Terms and Conditions#

Your participation in our program is voluntary and subject to the below terms and conditions:

  • You need to show that you could exploit a vulnerability, but you must not actually exploit it. You must not: access, modify, copy, download, delete, compromise or otherwise misuse others’ data; access non-public information without authorization; degrade, interrupt or deny services to our users; and/or incur loss of funds that are not your own.
  • If you are performing research, please use your own accounts and do not interact with other users’ accounts or data.
  • You must not leverage the existence of a vulnerability or access to sensitive or confidential data to make threats, extortionate demands, or ransom requests.
  • Your testing must not violate any applicable laws or regulations.
  • You are prohibited from participating in the program if you are a resident of any U.S. embargoed jurisdiction, including but not limited to Iran, North Korea, Cuba, the Crimea region, and Syria; or if you are on the U.S. Treasury Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Person’s List or Entity List. By participating in the program, you represent and warrant that you are not located in any such country or on any such list.
  • By providing a submission, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties without Skywalk API's prior written approval.
  • You will be responsible for any tax implications related to any bounty payment you receive, as determined by the laws of your jurisdiction.
  • You must be 18 years of age or older.
  • By reporting a bug, you grant Skywalk API and its affiliates a perpetual, irrevocable, worldwide, royalty-free license to use, copy, adapt, develop, create derivative work from, or share your submission for any purpose. You waive all claims, including breach of contract or implied-in-fact contract, arising out of your submission.
  • Whether to provide a payment for the disclosure of a bug and the amount of the payment is entirely at our discretion, and we may cancel or modify the program at any time.
  • Only the first, responsibly-disclosed submission of a vulnerability instance will be marked as valid, any subsequent reports will not be eligible for our program.

Ineligible Vulnerabilities#

Furthermore, Skywalk API does not consider the following to be eligible vulnerabilities:

  • Denial of service
  • Reports of spam
  • Social engineering
  • Self-XSS
  • Content/text spoofing
  • Unconfirmed reports from automated vulnerability scanners
  • Disclosure of server or software version numbers
  • Hypothetical sub-domain takeovers without supporting evidence
  • Session invalidation or other improved-security related to account management when a credential is already known (e.g., password reset link does not immediately expire, adding MFA does not expire other sessions, etc.)
  • Perceived security weaknesses without concrete evidence of the ability to compromise a user (e.g., missing rate limits, missing headers, etc.)
  • Reports exploiting the behavior of, or vulnerabilities in, outdated browsers
  • User/merchant enumeration
  • Best practice reports without a valid exploit (e.g. use of “weak” TLS ciphers)

In Scope#

Valid reports for assets in the following domains are eligible for reward:

  • *.skywalkapi.com