This article is written for Deputy customers who wish to perform their own security assessments and testing on Deputy.
We perform security assessments and penetration testing on our own environment at least annually. Copies of these reports are available for review upon request to security@deputy.com.
Occasionally, you may have requirements to perform your own independent testing. We encourage this testing, as it increases trust and confidence in our offering as well as allowing Deputy to be tested in novel ways, which ultimately improves our security profile.
Deputy will consent to customers performing security testing on their Deputy environment under the following conditions :
Registration
- The customer must be a fully paid financial customer at Premium or higher level. The customer must already have a signed Non-Disclosure Agreement (NDA) with Deputy and be willing to accept all of these terms.
- The customer must provide notice of the testing at least 4 weeks in advance via security@deputy.com, and receive approval for the testing from Deputy’s Head of Security. Approval is at Deputy’s discretion, and alternate times should be provided as the requested time may not be available for customer testing due to operational priorities.
- The customer must provide a technical contact for the testing (phone and email) and the timeframe in which testing will be conducted. Any testing outside of this window will be considered hostile, and we may at our discretion perform any action to protect Deputy and the customer’s instance and data, up to and including blocking traffic and suspending the customer’s service.
Testing
- Testing must be designed to be non-destructive and not create an impact on other customers. This means the following is explicitly out of scope for testing:
- Denial of Service or any other form of load or stress-based testing.
- Testing against https://once.deputy.com/ or any other Deputy asset that is used by multiple customers.
- Any form of testing that may expose customer data from any other Deputy customer, or Deputy intellectual property. If testing reveals this, then the test must cease and a finding provided to Deputy.
- The customer must cease all testing activity on request by Deputy. The customer will assume all liability for any testing activity occurring after a request to suspend testing is received and acknowledged. For the avoidance of doubt, it is expected that any email or phone message will be considered acknowledged within 15 minutes of delivery to the customer’s technical contact for testing.
Reporting
- Customers must provide a report to Deputy on security@deputy.com within 14 days of testing being completed.
- The report will list all testing performed and all findings.
- Deputy will work with the customer to resolve any findings, and may at its discretion request a re-test of findings to verify resolution or de-risking of a finding.
- Any findings of severity medium or higher must be reproducible, and sufficient code, data, or commands must be provided so that the finding can be independently reproduced
- The customer will keep the results of testing confidential, and findings may only be released publicly with the written consent of the Deputy Head of Security. This also applies to areas such as bug bounty responses, Critical Vulnerability Exploit (CVE) requests, and other responsible disclosure processes.
- Any publication of findings may reference or provide credit to the customer or their testing group as appropriate. Deputy will commit to responsible disclosure of any finding that warrants a security bulletin, at our discretion.
This policy is written for clarity of your's and Deputy’s rights in this situation so that there is understanding about how you may work with us on security. We write this for your protection and ours so please co-operate with us in your work so that we can create a thriving workplace.