Security & Trust at Cerebrum

At Cerebrum, our mission is to help you build trusted teams. That trust begins with the confidence you place in us. We are committed to protecting your data and ensuring the security and reliability of our platform through a comprehensive, multi-layered security program. Our commitment to security is a fundamental part of how we build products and operate our business.

SOC 2 Type II Compliant

We are proud to announce that Cerebrum is SOC 2 Type II compliant. This certification, verified by an independent third-party auditor, affirms that our information security practices, policies, procedures, and operations meet the rigorous AICPA (American Institute of Certified Public Accountants) standards for security. Our continuous compliance demonstrates an ongoing commitment to upholding these high standards.

Our Comprehensive Security Program

Our security program is built on a foundation of industry best practices and is designed to protect our systems and your data at every layer.

• Robust Infrastructure: Our services are hosted in industry-leading, top-tier cloud environments that provide a secure, resilient, and highly available foundation for our platform.
• 24/7 Monitoring & Threat Detection: Our systems are protected by continuous monitoring, centralized logging solutions, advanced alerting, and a Security Information and Event Management (SIEM) system to detect and respond to potential threats in real-time.
• Continuous Verification: We engage with independent security firms to perform regular penetration tests on our applications and infrastructure, ensuring our defenses are continuously challenged and hardened against emerging threats.
• Data Privacy & Compliance: We are committed to global data privacy standards and adhere to the principles of regulations such as GDPR and CCPA. Your data is processed with the utmost care and in accordance with legal and ethical standards.

Our Trust Center

For our customers and partners, we provide access to our Trust Center. This portal offers a real-time view of our security posture and access to our compliance documentation, including our SOC 2 Type II report.

Access is available upon request and subject to a Non-Disclosure Agreement (NDA). Please contact your account representative or our sales team to request access.

Responsible Disclosure & Bug Bounty Program

In addition to our internal controls, we believe in the power of the community to help keep our platforms secure. We invite security researchers to identify and report potential vulnerabilities through our Bug Bounty Program. Your contributions help us enhance the robustness of Cerebrum's security, and we are committed to working with you to verify and resolve any findings.

Security Vulnerability Categories & Bounty Amounts

Low-Level Vulnerabilities

These issues may cause minor inconvenience, but they aren't likely to pose a serious risk.

• Bounty: $200
• Examples: Lack of proper rate limiting, overly verbose error messages, session management issues, missing security headers.

Medium-Level Vulnerabilities

These vulnerabilities could potentially affect the functionality of our systems or compromise the privacy of a small subset of data.

• Bounty: $500
• Examples: Weak authorization checks leading to privilege escalation through IDOR, lax CSRF token validation, poor API input validation, missing or expired TLS certificates, insecure file uploads.

High-Level Vulnerabilities

These vulnerabilities could jeopardize the security of our platform or compromise sensitive data on a large scale.

• Bounty: $1,500
• Examples: SQL injection attacks, leaks of sensitive PII, subversion of existing encryption measures, arbitrary code execution on the server, access to hashed API keys or passwords.

Critical-Level Vulnerabilities

These vulnerabilities could cause a complete system compromise or a catastrophic data breach.

• Bounty: $3,000
• Examples: Complete authentication bypass, cloud environment access or takeover, direct access to the database.

How to Report a Vulnerability

We ask that you do not disclose any potential vulnerability publicly before it has been resolved. Please use GitHub's private vulnerability reporting feature to submit your findings. This ensures your report is delivered directly and securely to our team.

• Navigate to the main page of our Bug Bounty repository.
• Under the repository name, click on the Security tab.
• Read all previously published advisories to ensure your submission is not a duplicate.
  Note: if you ignore this step, your submission and future reports may be dismissed immediately.
• In the left sidebar, click on Report a vulnerability.
• Fill out the form with all the necessary details, including:
  • A clear description of the vulnerability.
  • The steps required to reproduce it.
  • The potential impact of the vulnerability.
  • Any proof-of-concept code, screenshots, or videos that can help us understand the issue.
• Click Submit report.

Our team will review your submission and get back to you as soon as possible.

What to Expect After You Submit a Report

Once you've submitted your report via GitHub's private vulnerability reporting feature, here’s how our process typically unfolds:

• Triage and Acknowledgment: Our security team will first acknowledge the receipt of your report, usually within 2-3 business days. We will then conduct an initial review to confirm that the report is understandable, reproducible, and not a duplicate of a previously submitted vulnerability. If we need more information, we will communicate with you directly through the GitHub advisory.
• Validation and Severity Assessment: After the initial triage, our team will thoroughly validate the vulnerability. We will assess its impact and assign a severity level based on the categories defined above. This assessment determines the final bounty amount. We will notify you of our findings and the confirmed bounty.
• Remediation: Our engineering team will prioritize and work on a fix for the validated vulnerability. The timeline for remediation can vary based on the complexity of the issue and our release schedule. We are committed to keeping you informed of our progress.
• Bounty Payout: Once the vulnerability has been successfully remediated and the fix has been deployed, we will initiate the bounty payment process. Our team will reach out to you to securely coordinate payment details. Please allow up to 30 days after the fix is deployed for the payment to be processed.
• Public Disclosure and Recognition: After the patch is live, we will work with you to coordinate public disclosure. We will create a public security advisory on GitHub, detailing the vulnerability and the fix. We are happy to give you full credit for your discovery in the advisory. If you prefer to remain anonymous, please let us know.

Thank You!

Like the billions of neurons working together in our brain, your contributions help us enhance the robustness of Cerebrum's security. We appreciate your collaboration and look forward to working together to improve our cybersecurity defenses! Thank you for your help and for being a good samaritan!