The Block’s security policies and practices seek to ensure compliance with all applicable laws, regulations, and our contractual obligations. Our policies and practices also seek to ensure the confidentiality and integrity of our data as well as the availability of the services we provide.
Security researchers: please note that we have discontinued our bug bounty program. Security testing of any of our sites or APIs is no longer permitted. Any submissions received prior to February 22nd will still be processed as normal.
The Block’s security policies apply to all employee (full or part time,) interns, and contractors. All policies are approved by leadership committee and are scheduled to be reviewed yearly. We have a variety of policies in place to cover topics such as change management, third party vendors, acceptable use, and risk management.
All user accounts require both complex passwords (minimum of 10 characters) and MFA.
Access to resources is based on the principle of least privilege and is granted through a change management process. Access that is not needed long term is reversed.
All new hires receive an initial security training. All employees receive monthly security micro-trainings on rotating topics. Educational phishing simulations are run on a monthly basis. Other trainings are held on a rolling basis.
Testing and production environments are logically separated. Corporate users have no access to testing or production. Each boundary is protected by a firewall that limits the ports and services to those required. Access to various environments is based on business need.
All changes to production and sensitive access grants go through a change management process. Separation of duties is enforced during change management process. All requests are reviewed regardless of approval status. An emergency process for after-hour urgent changes is also in place.
An email firewall is in place to scan for malware in attachments and block suspicious emails. Email server will attempt to negotiate encryption if sender’s server also supports encryption. Email is equipped with a “report phishing” button that allows employees to alert Security Team to any phishing emails that made it past firewall.
Production infrastructure is scanned on a monthly basis. Identified vulnerabilities are addressed based on criticality level.
All data of confidential or above is encrypted at rest (AES-256) and in transit (TLS 1.2 or above.)
Vendors that store, process, or transmit confidential or above data receive a risk evaluation by Security Team.
Vendor security posture, terms of service, and privacy practices are evaluated.
Last updated: February 22nd, 2024