Privacy and Data Processing Policy
This policy describes what data we collect, why we collect it, how we process it, and when and how we may share this data with third parties.
Data Collected
This forum may collect data about you. However, it should be clear what the data is used for.
We do not expect you to provide your real name or other real contact information, except from a valid email address.
Your email address is only used for account verification and for announcements, such as notifications about recent activity on the forum or news related to the future VulnDetect product.
VulnDetect only retains standard http / ssl log files, for examining and analysing usage. These log files may be retained for up to 12 months. Under normal circumstances only your IP and browser information are collected in these log files.
VulnDetect utilises cookies as well, however, these are only used for session management and can safely be deleted between visits, the only consequence is that you will be prompted for your username and password upon your next visit.
What we store about you
All data that we store about you is visible from the interface of this forum.
Please note, that we allow the use of aliases, thus you do not need to reveal your true identity, to have an active profile at the VulnDetect forum.
Your right to be forgotten
You may at any time opt-out of our mailing lists and services.
You may at any time choose to delete your account. Backups are retained for two weeks. After two weeks they will be overwritten and your data will be permanently gone.
Note: Any posts or replies you made on the forum will not be deleted as these are considered public domain and removal of your replies or posts may render the remaining post and replies in a thread useless or without proper context. You should also note that your posts and replies may be cached by search engines, web archives and other parties who are beyond our control.
Remember, you may always choose to use an alias when posting, we will not reveal your true identity.
Security and Encryption
Data transfer
We utilise HTTPS (or similar) for all data transfers. We intend to comply with best practices for HTTPS configuration for websites at all times. This may cause certain older clients to be unable to access the site.
Certificates
We currently use Let’s Encrypt certificates.
Encryption at rest
All user data is stored on encrypted devices to prevent leakage when disposing of old / broken hardware or when recycling storage at the cloud provider.
Your password is hashed 12 times using bcrypt before it is stored in our database. bcrypt is one of the better hashing algorithms, because it makes it fairly expensive to bruteforce the password hash.
However, we always recommend that you use a password manager and use individual passwords for every single site. This, way you don’t need to worry too much, if one of the sites you use is compromised.
Software
We naturally intend to update all software in a timely manner. If software is considered vulnerable, we may update it out of our regular service windows or disable functionality temporarily. When doing so, we will post a brief note on the forum to notify about the service interruption or lack of service.
Access
Access to user data is on a “need to” basis. All access to data and systems hosting data requires authentication and is logged.
Backups
Backups are encrypted before being retrieved and stored at a separate location. Backups containing user data are usually only retained for two weeks.
Third parties
All our data is stored at Hetzner Online GmBH in one of their German facilities. The database, holding your credentials and all the posts, is stored on bare metal hosts at Hetzner, these hosts are managed by SecTeer, all data at rest is encrypted. Backups may be stored at a different facility, but still in Europe and always encrypted at rest. The forum software is running on a cloud instance at Hetzner, only session data and uploaded files, including avatars, is stored on the cloud instance, this data is not encrypted at rest.
We believe that the European data protection laws serves the interest of users in general and are in line with our philosophy about online digital rights.