Security

Security Practices

🔒 Privacy Policy📄 Terms of Service🍪 Cookie Policy🇪🇺 GDPR🛡️ Security⚖️ Licenses

On This Page

Security PhilosophyInfrastructure SecurityData EncryptionAccess ControlsBug Bounty ProgramIncident Response
Last Updated: April 1, 2025

🛡️ Responsible Disclosure Program: We maintain an active bug bounty program and pay researchers for valid vulnerability reports. If you've found a security issue, see Section 5 for submission details.

1. Our Security Philosophy

Security is not a feature we add — it is the foundation everything else is built on. We apply security-first engineering principles at every layer of the stack, from infrastructure architecture to application code to team access policies. Our approach is based on defense-in-depth: multiple independent layers of protection designed so that no single point of failure can compromise user safety or data integrity.

We conduct regular internal security reviews, annual third-party penetration tests, and ongoing automated vulnerability scanning. We treat every security report from the community as a valuable contribution to keeping our users safe.

2. Infrastructure Security

  • Hosting: Deployed on the Vercel Edge Network with automatic DDoS mitigation, global CDN distribution, and zero-downtime deployments
  • Database: MongoDB Atlas with network isolation, IP allowlisting, role-based access control, and automated encrypted daily backups
  • Traffic Filtering: Cloudflare provides web application firewall (WAF) protection, bot mitigation, and real-time threat intelligence
  • Availability: 99.9% uptime SLA with automated failover across multiple geographic regions
  • Backup Verification: Daily encrypted backups retained for 30 days, with restore procedures tested quarterly
  • Penetration Testing: Annual third-party penetration tests conducted by certified security firms, with findings remediated within defined SLA windows

3. Data Encryption

  • In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3. HTTP Strict Transport Security (HSTS) is enforced with a one-year max-age. We do not support TLS 1.0 or 1.1.
  • At Rest: All database volumes and backup storage are encrypted using AES-256. Encryption keys are managed through a dedicated key management service with automatic rotation.
  • Passwords: User passwords are hashed using bcrypt with a cost factor of 12 before storage. Plaintext passwords are never stored, logged, or transmitted internally.
  • Session Tokens: Authentication JWTs are signed with RS256 asymmetric keys, issued with short expiry windows, and automatically rotated upon detection of suspicious activity.
  • Payment Data: All payment processing is handled by Stripe (PCI-DSS Level 1 certified). WatchPartyLive never stores, processes, or transmits raw card numbers or payment credentials.

4. Access Controls

Production system access is strictly controlled and continuously audited:

  • Production data access is restricted to engineers with a verified, documented business need — approved on a case-by-case basis
  • All production access events are logged immutably and reviewed on a scheduled basis by our security team
  • Multi-factor authentication (MFA) is mandatory for all team members across every internal tool and system
  • Principle of least privilege is applied throughout — employees receive only the minimum permissions required for their specific role
  • Quarterly access reviews are conducted to identify and remove unused or excess permissions
  • We operate a zero-trust network architecture — no user or system is implicitly trusted based on network location alone

5. Bug Bounty Program

We welcome and reward security researchers who responsibly disclose vulnerabilities in our platform. To submit a report, email security@watchpartylive.com with the subject line "Bug Bounty" and a detailed description of the vulnerability, including steps to reproduce.

Current bounty ranges by severity level:

  • Critical (Remote code execution, authentication bypass, mass data exposure): $500 – $2,000
  • High (Privilege escalation, significant unauthorized data access): $200 – $500
  • Medium (XSS, CSRF, exploitable business logic flaws): $50 – $200
  • Low (Information disclosure, minor configuration issues): $25 – $50

We ask that you allow us 90 days to remediate reported vulnerabilities before public disclosure. We commit to acknowledging all valid submissions within 48 hours and will not pursue legal action against researchers acting in good faith.

6. Incident Response

We maintain a documented, regularly tested incident response plan. Our key commitments in the event of a security incident are:

  • Affected users will be notified within 72 hours of a confirmed data breach, in accordance with GDPR Article 33/34 and applicable US state breach notification laws
  • Our status page at status.watchpartylive.com is updated in real time throughout any active incident
  • Tabletop incident response exercises are conducted quarterly to validate our readiness and identify process gaps
  • Post-incident reviews are published internally within two weeks of resolution, with root cause analysis and preventive actions

To report a security incident or suspected vulnerability: security@watchpartylive.com

Found a Security Vulnerability?

We take every report seriously and aim to respond within 48 hours. Good-faith researchers are always protected.