Where does Meldium run?
Meldium runs as a web application using third-party cloud platforms. Meldium currently runs on Heroku and Amazon Web Services, and our servers are located in the United States. We may use other cloud providers that meet our security and availability needs in the future if appropriate.
All of the data exchanged in Meldium is sent over secure (TLS) connections. Our public web application runs only on HTTPS, and our internal network links (between service tiers, databases, and caches) are each encrypted at the transport layer as appropriate.
Meldium connects to other web applications to manage those apps and initiate automatic logins. Those connections are also always performed over HTTPS, and the remote server certificates are always verified.
What sensitive data does Meldium store?
In order to provide app management and automatic login, Meldium must store some of your sensitive information on our servers. For user management, we may store your API keys, your username and password, or an OAuth credential. We will always use an OAuth credential or API key if possible, and we only store passwords if absolutely necessary for a service integration. To provide automatic login, we store usernames and passwords.
How is my data stored?
All of your sensitive data is stored in an encrypted format. We use open-source cryptographic libraries and standard algorithms (AES-256 for symmetric operations and RSA 2048 bit for asymmetric operations). We never write our own cryptographic code or modify existing libraries.
The data we store is also regularly backed up via our cloud providers. The backups are kept in the same format as the original data and thus requires access to our master keys to decrypt.
When is my data decrypted?
The keys to decrypt your data are only stored on secure subset of Meldium's computers. These keys are stored as runtime configuration, and never checked in to source code. The computers that are able to decrypt your API keys, OAuth tokens, and passwords run in an isolated application that is not accessible to the public internet. This means that if Meldium's public-facing servers are attacked, the master encryption keys will not be compromised.
Your secrets are only decrypted when they are needed to perform some operation on your behalf (adding an account, disabling a user, logging in to a service, etc.) and the decrypted data is never written to disk or logged. In order to provide the best user experience, our systems periodically use your authentication information to refresh application data.
Can I get my data out of Meldium?
Any usernames and passwords that you store in Meldium can be pulled back out of the system. Use the credential exporter tool to download your data as a comma-seperated values (CSV) file, a common text format that is supported by dozens of tools.
Yes. You can manually remove individual apps and credentials from Meldium using our web app. And at any time, you can contact email@example.com to request that your account be deleted. Once we've confirmed your identity, we will immediately remove all of your data from our system. Encrypted backups of your data may be retained for up to 90 days - these backups are used only for disaster recovery purposes.
Is my data available to Meldium employees?
Due to the architecture of our system, it is technically possible for a Meldium employee to gain access to your secret data. As a matter of corporate policy, this kind of access is forbidden. Therefore, we have strong internal controls in place to prevent this unlikely event. We never manually decrypt your data, even when debugging issues with our systems or with third parties. We've built a suite of internal tools that allow an operator to perform actions using your secret data without actually logging in to our secure fleet.
A limited set of Meldium employees have access to the secure fleet and the master encryption keys - this access is only granted to employees for whom it is absolutely necessary. Third-parties or contractors will never gain access to Meldium's secure hosts or master keys, or your secret data. All internal access to all of Meldium's systems (secure or otherwise) is logged and audited.
What data does Meldium log?
Like other web applications, Meldium creates and collects application logs that track what our servers are doing on each request. These logs are used to find and fix bugs in Meldium and to help us monitor the performance and uptime of the application. We have comprehensive filtering in place to ensure that no sensitive data is logged, and logs are currently retained for two weeks before they are automatically deleted.
In addition to these application logs, Meldium also creates structured logs that keep track of which users launch which applications. We also track new user creation and user disable / delete operations. We collect this data in order to provide our customers with an audit trail, and to enable features like "recently used apps". We use this log data in aggregate form to better understand our customers and make decisions about the future development of Meldium.
How does Meldium protect my data?
Meldium uses modern web frameworks and follows those frameworks' best practices for securing access. We monitor for bugs and security patches in all the systems we use and apply updates religiously. In addition, we've engaged external security firms to perform penetration tests and source code audits on Meldium's systems, and we will continue with those tests and audits regularly in the future.
What should I do if I find a security problem with Meldium?
We want to hear from you! We're grateful for security researchers who practice responsible disclosure. Please contact us at firstname.lastname@example.org with the details of the problem you've found. We treat these reports as our highest priority and we'll get back to you immediately. And we promise not to seek legal action against those who fully disclose security issues to Meldium and do not maliciously exploit those vulnerabilities.
Any security-related emails sent by Meldium employees will be signed with the following public key. You may also use this key to encrypt any messages sent to email@example.com.
Security Hall of Fame
The following people have reported security vulnerabilities to Meldium. Thanks for you help!
· Evan Ricafort — @robinhood0x00
· Sherin Panikar (KeralaCyberSquad-India)
· Kamil Sevi — @kamilsevi
· Jayson Zabate — @asdJsonYou
· Yuji Kosuga — @yujikosuga
· Alonso Torres Cerdas — @M1UR4K
· Nitesh Shilpkar — @NiteshShilpkar
· Blessen Thomas — @pentagramz
· Aditya Agrawal — @exploitprotocol
· Faisal Ahmed — @FaisaL_GB
· Hammad Qureshi & Huzaifa Jawaid
· Osanda Malith Jayathissa — @OsandaMalith