Security
Last Updated: November 3, 2025
Introduction
Winningfinder’s security policies and practices are designed to ensure compliance with all relevant laws, regulations, and contractual obligations. These policies also aim to uphold the confidentiality, integrity, and availability of our data and services.
Note for Security Researchers:
Please be advised that the Winningfinder bug bounty program has been discontinued. Security testing on any of our websites or APIs is no longer permitted. Submissions received before February 14, 2025, will still be processed according to our standard procedures.
Policies
Winningfinder’s security policies apply to all employees (full-time and part-time), interns, and contractors. These policies are subject to approval by the leadership committee and are reviewed on an annual basis. Our policies cover various areas, including change management, third-party vendors, acceptable use, and risk management.
Authentication and Authorization
All user accounts require the use of complex passwords (minimum of 10 characters) and multi-factor authentication (MFA). Access to resources is granted in accordance with the principle of least privilege and is managed through a formal change management process. Access permissions that are no longer required on a long-term basis are promptly revoked.
Training
All new employees undergo an initial security training session. Employees also participate in monthly security micro-trainings on a rotating set of topics. Phishing simulation exercises are conducted monthly, and additional training sessions are offered periodically on various security topics.
Environments
Our testing and production environments are logically separated. Corporate users do not have access to testing or production environments. Each environment is secured by firewalls that restrict access to only the necessary ports and services. Access to different environments is granted based on business needs.
Change Management
All changes to production systems and sensitive access permissions must go through a formal change management process. We enforce separation of duties throughout the change management process, and all requests are reviewed, regardless of their approval status. An emergency process is in place to accommodate urgent changes outside of regular business hours.
Email Security
An email firewall is implemented to scan for malware in attachments and detect suspicious messages. The email server attempts to establish encryption with any sender’s server that supports it. Employees can use a “Report Phishing” button to alert the Security Team if any phishing emails bypass the firewall.
Vulnerability Scanning
Our production infrastructure undergoes monthly vulnerability scans. Identified vulnerabilities are addressed based on their severity and criticality level.
Encryption
All data classified as confidential or higher is encrypted both at rest (using AES-256) and in transit (using TLS 1.2 or above).
Vendor Management
Vendors who store, process, or transmit confidential or higher-level data are subject to a risk evaluation by the Security Team. We evaluate vendors’ security posture, terms of service, and privacy practices to ensure they meet our standards.