March 22, 2024
x
min read

How Mintlify is improving security

Han Wang
Co-founder

We at Mintlify are committed to the privacy and security of our customers. Your trust in our ability to safeguard your data is the cornerstone upon which our services are built.

Our Response to the March Security Incident

The March security incident revealed security vulnerabilities within our systems. As a response, we have conducted an extensive investigation with the help of external security partners to pinpoint the weaknesses exploited during the incident and the complexities of the attack vectors involved.

Guided by our findings, we have rolled out a sweeping number of improvements to our security infrastructure. These measures are designed not only to fix the specific vulnerabilities identified but also to fortify our overall defense mechanisms against future attacks. The goal: to ensure that an incident of similar nature will never happen again.

Strengthening Our Commitment to Security

Upholding the highest standards for privacy and security is our top priority. This post provides an overview of our recent security enhancements and our ongoing efforts to protect customer data.

Security Enhancements

Improving encryption at rest

All sensitive user and organizational data will be encrypted at rest using the AES256-GCM encryption standard.

This choice of encryption assures a high level of security, ensuring that sensitive data cannot be revealed, even when breaches occur.

Deprecating the storage of GitHub OAuth token

Moving forward, GitHub OAuth tokens, despite being encrypted, will no longer be stored in our databases.

GitHub OAuth will be adjusted to be employed during the onboarding process for the sole purpose of generating a starter kit repo. More importantly, the access token retrieved during this process will be kept strictly on the local device, never transmitted to our server, and will be immediately deleted following its initial use.

Deprecating internal admin tokens

A crucial vulnerability exploited in the recent security incident was the use of internal admin tokens. These tokens have historically been employed to access sensitive API endpoints and retrieve user data.

In response, we are deprecating the internal admin tokens for the dashboard. Moving forward, session authentication will replace token usage, which will strictly limit API endpoint access to authenticated users only, while also ensuring that users can only fetch their own data.

Introduced responsible disclosure program

We have introduced a responsible disclosure program to encourages proactive identification and reporting of security issues from our community and ethical hackers.

Email infrastructure improvements

We improved authentication within our transactional email infrastructure to prevent the unauthorized sending of emails, ensuring that our communication with users will always come from us.

Reduced attack surface area

As part of our comprehensive review and enhancement of security practices, we have conducted a thorough sweep of our services. We removed all non-critical endpoints, reducing the attack surface area and allowing our team to better focus our security efforts.

Contact us

Our dedication to transparency, security, and the trust you place in us remains unwavering.

Should you have any concerns or questions, please do not hesitate to contact us at [email protected].