Data, Data, Data, Data, Protectin’ Everywhere​

Protectin’ everywhere, protectin’ everywhere ​

Cribl values customer trust above all else. We are committed to keeping customer data safe and secure, and have built all Cribl products and services from the ground up with security, compliance, and user privacy as top priorities. We want to be transparent with how we’re following industry compliance standards and data protection laws and regulations, and hope this page gives our customers peace of mind when choosing and using Crib’s suite of products. So please, peruse this information to your heart’s content, and if you have any additional questions around privacy and security, please contact us.

Security

At Cribl, we strive for security by design. With the security approaches Cribl takes, including access management, risk management, and security governance, our customers are able to gain more control, more flexibility, and more confidence when using Cribl products and services.


Our product security program aligns with best practices from the National Institute of Standards and Technology (NIST). Cribl provides developers with training that reinforces secure development and architecture practices, to promote pragmatic security in the development process.


Cribl has dedicated engineers focused on product security. They apply a secure development lifecycle that includes:


  • Threat Modeling
  • Software Composition Analysis
  • Static Analysis Security Testing (SAST)
  • Dynamic Application Security Testing (DAST)
  • External Penetration Testing

Cribl information security professionals receive continuous training and certifications from reputable organizations such as Information Systems Security Certification Consortium, Inc. (ISC2), and Offensive Security. Additionally, our practitioners maintain relationships with security interest groups such as the Open Web Application Security Project (OWASP) and Information System Security Association (ISSA).


Please contact security@cribl.io to get in touch with our product security group.

Compliance

We align our compliance with continuous risk management to better secure our operational environment, products, services, and — by extension — you and your data. Cribl is currently expanding, and will always expand, our portfolio of Security and Compliance Reports as our customers request them. Reports are available to all customers and prospects under NDA.

SOC 2

Cribl complies with SOC 2 requirements for its Cloud Products and related organizational controls. Cribl received its first SOC 2 Type II attestation report in April 2022 for its initial observation period ending December 31, 2021, and is continuing with annual audits. SOC 2 ensures compliance with worldwide industry standards for data security, and instills confidence in enterprises using Cribl in their observability and cybersecurity environments.

SOC 2 standards are established by the American Institute of Certified Public Accountants (AICPA), and address security controls such as organization and management, monitoring of controls, communications, risk management, and more. The Type II evaluation is a rigorous security verification process focused on systems related to security, availability, processing integrity, confidentiality, and privacy of data. This means that brand manufacturers using Cribl’s suite of products to collect, enrich, distribute, and search their observability and cybersecurity data can feel confident in the secure design and operating effectiveness of Cribl.

We require a mutual non-disclosure agreement (MNDA) before sharing access to our SOC 2 Report and our most recent Penetration Test. Customers may request the MNDA or our security documentation by emailing certifications@cribl.io.

Privacy

Privacy Statement

Cribl is committed to the privacy of all our users. Cribl’s Privacy Policy is a plain-language source of information that explains what we collect from users through our interactions with them, as well as why and how we collect this information.

Our Privacy Policy explains Cribl’s commitments under laws and regulations that protect Personal Data, including the European Union’s General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act (“CCPA”), the California Privacy Rights Act (“CPRA”), Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), and other applicable laws and regulations.

For our Canadian subsidiary, our Privacy Officer is the fabulous and limitless Chell Mendiola, who can be contacted at privacy@cribl.io.

Subject to applicable law and regulations, individuals may have rights involving their own Personal Data. Any User may exercise their rights by contacting Cribl’s Privacy Team at privacy@cribl.io.

Which Cribl Products are Right for Me?

Cribl gives customers choice with how they want to deploy Cribl Products—Cloud, Hybrid, and On-Premises. Our customers’ specific industry requirements often drive which product(s) they should select. To help you decide, we’ve put together this quick explanation of what it means to work with Cribl.

Where Oh Where Does My Data Go

Cribl offers two main deployment options to our customers:

  1. On-Premises: Cribl Stream and Cribl Edge
  2. Subscription on Cribl.Cloud: Cribl Stream, Cribl Edge, and Cribl Search

Cribl products include:

  • Stream – a data collection, reduction, enrichment and routing system for observability data.
  • Edge – an intelligent, scalable, edge-based data collection system for logs, metrics and application data.
  • Search – a search feature to perform federated Search-in-place queries on any data, in any form. Cribl Search is available only on Cribl.Cloud (not available on-premises).
  • AppScope – an open source operations-centric instrumentation for applications

On-Premises Deployment

With an on-premises deployment of Cribl Stream or Edge, the customer remains in complete control over their data. The customer not only controls who has access to the product, internally and externally, but also all of their data from end to end, ingest to output. At our Enterprise and Standard license levels, customers with on-premises deployments are able to turn off anonymized telemetry data from being sent back to Cribl. That telemetry data provides us information on the Product’s functioning, but does not transmit any customer data processed there.

Cribl is able to support customers in healthcare, financial services, and government fields when Cribl Products are deployed on premises because such products are considered Commercial Off The Shelf (COTS) products that allow customers to use internal controls required in those heavily regulated data infrastructures. Indeed, a customer with an on-premises deployment would need to affirmatively send us sensitive information to cause a disclosure.

Cloud and Hybrid Deployments

For our subscription Cribl.Cloud deployments, Cribl.Cloud offers a cloud-based service for dedicated Stream, Edge, and Search environments, so customers can get up and running quickly. Cribl takes care of the infrastructure management and scaling, making this the fastest and easiest way to realize the value of Cribl Products.

Cribl.Cloud is hosted in AWS, meaning there are AWS safeguards and certifications in place; details here. Every Cribl.Cloud account is provisioned in a standalone AWS account, providing full isolation of data and control. This architecture ensures that no sensitive data can be accessed without the correct access controls.

Cribl.Cloud is also SOC 2 Type II certified, and we follow best practices as part of our operations. Cribl’s compliance with SOC 2 security standards, along with the penetration testing and other security activities that Cribl performs, provide assurances that information stored or processed in Cribl.Cloud is secure.

Cribl Site Reliability Engineers (SRE) have access to the Leaders and to Cribl-managed Cloud Workers for management purposes. All SRE activities are audited. Engineers do not have access to hybrid workers, to Edge Fleet nodes, or to customer data as it gets processed through Workers (nor to the S3 buckets that customers use as part of Cribl Search).

When you use Cribl.Cloud in a hybrid deployment, Cribl still offers a Leader node in the Cloud, but some or all of your Worker nodes can be on-premises, on physical or cloud infrastructure that you provide. Because our product features “preview” options on the Leader node to enhance product functionality, data could be viewed from the Leader node by customers. Additionally, when you use Cribl Search, the persistent queuing function could cause information to be viewed from the Leader node. In a full Cloud deployment, some data may be viewable by Cribl customer support through Cribl.Cloud’s processing technologies, with consent from the customer.

Cribl does not yet have specific certifications to demonstrate compliance with security standards for processing certain sensitive data through Cribl.Cloud, including as to sensitive data like personal data, personal health information, payment card information, special categories of personal data protected by applicable laws such as the GDPR, and non-public, personally identifiable consumer financial information.

Customers must only use Cribl Products to process such data only as allowed by applicable law and data protection standards, including the General Data Protection Regulation in the European Union, the California Consumer Privacy Act, the California Privacy Rights Act, Health Insurance Portability and Accountability Act of 1996, the Gramm-Leach-Bliley Act, and the Payment Card Industry Data Security Standards.

Support, Services, Affiliates, and Subprocessors

As a general matter, we have support personnel located globally to provide our subscription services with extended service hours by, taking advantage of our regional presence in each of the time zones. Cribl may provide services through its services personnel or through partners, whichever resource best meets your needs.

Cribl provides support and services remotely and will not generally require access to your physical facilities. Cribl also provides extensive documentation for all of its products. Cribl generally does not perform work-made-for-hire services.

We have agreements in place with all our affiliates, partners, and sub-processors to ensure they provide sufficient protection for your data consistent with applicable privacy and data protection laws. The sub-processors we use are described here.

FAQ

Do you offer Service Level and Support Commitments?
For our Cloud offerings, we include availability commitments for Cloud Products and response times for support, as we understand and are proud that our products are largely intended for use in your core commercial activities as an organization. These commitments, including our response times and uptime availability targets, are consistent across all customers. We are largely unable to make changes on an individual-customer basis, absent extraordinary circumstances — which are negotiated case by case, and can add length to the contracting process.

Can I request Professional Services?
Absolutely. Cribl can provide work-made-for-hire services, but customized work will be governed by a separately negotiated and executed statement of work (SOW). For more information, read our Services Addendum. In the event you request any professional services, Cribl can work with you to craft a SOW.

Where does my data go in Stream on Cribl.Cloud?

Scenarios:

  • Streaming data through Cribl to destination
    When streaming data through Cribl to a given destination, the data is temporarily held in memory during processing. Leader and Worker nodes do not store data on disk.
  • Streaming data written to disk when Persistent Queuing (PQ) is enabled
    When pipeline PQ is enabled by the customer, data is written to encrypted Amazon Elastic File System (EFS) storage. The data is resident on this storage for the duration until the Worker nodes drain the queue. Once the queue is drained, the data no longer persists on the disk or anywhere else in Cribl.Cloud.
  • Streaming data capture from the Leader node
    When Customers execute a data capture from the Leader node on a source or pipeline, data is resident on the encrypted storage volume. Customers own this and can delete data at any time from the Routes or Pipelines section in Cribl’s user interface.
  • Diagnostic bundle
    Diagnostic bundles initiated and created by customers during Customer Support calls, are used to provide top notch customer support fast. In the back-end Cribl securely stores these bundles in encrypted S3 storage for the duration of the support case. Details can be found at Diagnosing Issues | Cribl Docs
  • Customer account data
    Customer account data (e.g., name, phone number, userID, etc.), are stored in an encrypted customer database.
  • System log data
    System log data, (not streaming customer data), collected for Cribl.Cloud operations, is stored in an encrypted log analytics system.

What about my authentication data in Stream on Cribl.Cloud?
Authentication data – things like secrets and passwords, authentication methods, etc. – are stored on disk in the encrypted Cribl secret store. This data can be removed through Cribl’s UI or over API.

Cookie Statement

The TL;DR is that Cribl’s cookie settings track user access across our website properties, but we do not track a user once they leave our website. For a more detailed explanation, Cribl may use Personal Data about visitors to the Sites to monitor performance, access, usage, and security of the Sites and the Platform, including as follows:

  • Visiting our Sites: We may collect information automatically obtained by visiting or otherwise accessing the Sites that is Personal Data (“Visit Data”). Specifically, Visit Data includes Internet Protocol (“IP”) address, the date and time of the visit, page requests, browser and device information, operating system, and average times spent on the Sites. We use this information to help us understand our Sites’ activity and to monitor and improve the Sites.
  • Analytics/Tracking: We and our third-party service providers, including Google Analytics and Hotjar, collect, process, store and analyze information obtained from your browser when you visit our Sites, including IP address, device identifiers, browser characteristics, operating system details, language preferences, referring URLs, length of visits, and pages viewed. We also use cookies or other tools that track, measure and analyze the behaviors and usage patterns of visitors to the website. We use this information to help us understand how visitors engage with the website and to improve our visitors’ experience.

A cookie is a delicious small sweet food, typically round and flat and has a crisp or chewy texture. Some argue the chocolate chip cookie is the best type of cookie. A cookie is also a tiny element of data that the website can send to your browser, which may then be stored on your computer or mobile device so we can recognize you when you return.

Cookie settings are separated into categories: Strictly Necessary, Functional, Performance, and Targeting. Strictly Necessary cookies are required to use the Cribl’s Platform and Sites and store cookie settings. Users can manage cookie settings for Functional, Performance, and Targeting Cookies. We use cookies for analytics purposes, as well as for certain features of the Sites. You may set your web browser to notify you when you receive a cookie, or to not accept certain cookies. However, if you decide not to accept cookies from the Sites, you may not be able to take advantage of all of the features of our Sites.

Exercise Your Privacy Rights

Cribl respects consumer privacy.  Depending on your state of residence, you may be entitled to certain information regarding the data that Cribl collects. 

For California consumers

Under the California Consumer Privacy Act and other laws and regulations, consumers in California have a right to: (1) know about the use, including sharing, of the personal data Cribl collects about them; (2) access the personal data Cribl has collected;  (3) request deletion of their personal data, with some exceptions; and (4) the right to opt out of the sale of their personal data.  Cribl does not sell the personal data of any users or consumers.   

For Virginia consumers

Under the Virginia Consumer Data Protection Act and other laws and regulations, consumers in Virginia have a right to: (1) confirm whether Cribl is processing their personal data; (2) access the personal data that Cribl collects about them, (3) correct inaccuracies in their personal data (considering the nature of that data and purpose of its processing), (4) request deletion of personal data provided by or obtained about the consumer; (5) obtain their personal data in a portable and readily usable format where the processing is carried out by automated means; and (6) opt out of targeted advertising, sale of their personal data, and profiling when that profiling produces significant or legal effects concerning the consumer.  Cribl does not sell the personal data of any users or consumers.   

For Colorado consumers

Under the Colorado Privacy Act and other laws and regulations, consumers in Colorado have a right to: (1) confirm whether Cribl is processing their personal data; (2) access the personal data that Cribl collects about them; (3) correct inaccuracies in their personal data (considering the nature of that data and purpose of its processing); (4) request deletion of their personal data; (5) obtain their personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance; and (6) opt out of targeted advertising, the sale of personal data, and profiling when that profiling produces significant or legal effects concerning the consumer.  Cribl does not sell the personal data of any users or consumers.   

For Individuals in the UK/EEA

Under the UK and EU General Data Protection Regulation, individuals in those countries have certain rights relating their personal data, subject to local data protection laws.  Depending on the applicable laws, these rights include:

  • Right of Access.  To the extent required by law, you have the right to receive confirmation as to whether or not your personal data is being processed and if so, access to the purpose, category, and recipients.  
  • Right of Rectification.  Our goal is to keep your information accurate, current, and complete, please contact us if you believe your information is not accurate or if it changes.
  • Right to Erasure.  In some cases, you have the right to request that we delete your personal data when (1) it is no longer necessary for the purposes it was collected; (2) consent has been withdrawn; (3) you have objected to processing; and/or (4) it is being unlawfully processed.  This right is not absolute, when we delete personal data, it will be removed from our active servers and databases, but it may remain in our archives when it is not practical or possible to delete it or when we must retain it to comply with our legal obligations, resolve disputes, or enforce agreements.
  • Right to Restrict Processing.  This is applicable when (1) the accuracy of the personal data is contested, until we can verify the accuracy of the data; (2) the processing is unlawful and you oppose erasure and request restriction instead; (3) we no longer need the information, but you need us to keep it for the exercise of claims you have; or (4) you have objected to us processing your information, pending resolution of the objection.
  • Right to Withdraw Consent.  If you have previously provided consent with regard to our collection, processing, and transfer of your personal data, you may have the right to alter or withdraw that consent.  Once we have received that notice, we will no longer process the information for the purposes to which you originally consented and have since withdrawn unless there is an overriding and compelling legitimate ground for further processing.  Withdrawal of consent to receive marketing communications will not affect the processing of personal data for the provision of our services.
  • Right to Complain.  If you believe we have not processed your personal data in accordance with applicable law, we encourage you to contact us at privacy@cribl.io.  You may also have the right to make a complaint to an applicable Supervisory Authority or seek a remedy through the courts.  A list of Supervisory Authorities for residents of the EU or EEA is available at: https://edpb.europa.edu/about-edpb/board/members_en.  

Exercising These Rights

For any of the above consumers who wish to exercise their privacy rights, please email us at privacy@Cribl.io and include the following:

  1. Your name and e-mail contact information (for internal verification purposes);
  2. The nature of your request, to include whether this is a request for information, amendment, deletion, or an opt-out request. 

Because we respect your privacy, we ask that you not include uploads of government issued photo identification for these purposes, any additional verification will be specifically requested, if needed.  Should we be unable to take the action requested, you will be entitled to further information regarding why the requested action could not be taken. 

Cribl does not discriminate in response to privacy requests.

 

Report an Issue

Disclosure

BUGS?! Ew, David. If you believe you’ve discovered a bug in Cribl’s security, please reach out to us at security@cribl.io. We will get back to you as soon as we can and ask that you do not publicly disclose the issue until we’ve had a chance to address it.

Responsible Disclosure Program

Purpose

Cribl makes open observability a reality for today’s tech professionals. The Cribl product suite defies data gravity with radical levels of choice and control. Wherever the data comes from, wherever it needs to go, Cribl delivers the freedom and flexibility to make choices, not compromises.

The Cribl product security team acknowledges the valuable role that honest, independent security researchers and bug reporters play in the overall security of connected systems. As a result, we encourage the responsible reporting of any vulnerability that may be present in our applications and services. Cribl is committed to working with security researchers to verify and address potential vulnerabilities that are reported to us.

For these reasons, Cribl provides a responsible disclosure program for all of its products and services, including Cribl.Cloud and Cribl’s website. The program is governed by the Responsible Disclosure Addendum and these terms. Please review both before you test or report a vulnerability to Cribl. We will provide a safe harbor to security researchers as long as they adhere to program requirements and are acting in good faith.

Reporting

If you have details of a suspected vulnerability, please reach out to the Cribl product security team by sending an email to security@cribl.io. You can use our PGP Key to encrypt the email.

PGP Fingerprint: 93BCCB5500D176D131D06C41892C4E60AA85BA2B

If you feel your account may have been compromised, do not hesitate to contact the Cribl support team at https://cribl.io/support/.

If you have other concerns you wish to report, you can submit it in any one of three ways:

  1. Go to cribl.ethicspoint.com and click “Make a Report”
  2. Go to https://criblmobile.ethicspoint.com on your mobile device; or
  3. Call 844-974-5071

Sharing of vulnerability details outside of our formal reporting process is not permitted and will not result in acceptance by the Cribl product security team of your vulnerability report.

Policy

We will investigate all legitimate reports and make every effort to quickly correct any vulnerability. We ask in return that you:

  • Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC)
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
  • Give the Cribl Product Security Team a reasonable time to correct the issue before making any information public

Program Rules

Cribl encourages the responsible and ethical discovery and reporting of vulnerabilities. The following conduct is expressly prohibited:

  • When experimenting, please only attack test accounts you control. A PoC unnecessarily involving accounts of other tenants or Cribl employees may be disqualified. It’s also best practice to tell us the accounts you are using for testing even when they are under your control;
  • Do not run automated scans without checking with us first;
  • Do not test the physical security of Cribl offices, employees, equipment, partners, vendors, or contractors;
  • Do not test using social engineering techniques (phishing, spear-phishing, pretexting, etc.);
  • Do not perform DoS or DDoS attacks. You are welcome and encouraged to look for vulnerabilities that can be leveraged for DoS or DDoS attacks, we just don’t want you actually exploiting the issue outside of a tightly controlled environment;
  • Do not access, or attempt to access, data, information, or physical building units that do not belong to you;
  • Do not violate any applicable law or breach any agreements in order to discover vulnerabilities, or otherwise utilizing unethical means to gain access or information;
  • Only the first reporter is eligible for receiving a reward (refer to the Recognition and Rewards section below).

In Scope & Out of Scope Targets

All parts of our applications and services available to customers are in scope and are our primary interest. Please have a look below for in scope targets.

Cribl uses a number of third-party providers and services. Our disclosure program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed on a case-by-case basis, and most likely will not be eligible for a reward. The following third-party systems are excluded:

  • Direct attacks against any part of AWS’s infrastructure
  • Okta
  • Auth0

Non–Qualifying Vulnerabilities

Low severity, purely theoretical and best-practice issues do not qualify for submission. Here are some examples:

  • Descriptive error messages (e.g., Stack Traces, application or server errors)
  • Theoretical subdomain takeovers with no supporting evidence
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages
  • Information leakage, fingerprinting/banner disclosure on common/public services
  • Disclosure of known public files or directories, (e.g., robots.txt)
  • Clickjacking on a public page and issues only exploitable through clickjacking
  • CSRF on forms that are available to anonymous users (e.g., the contact form)
  • Logout Cross-Site Request Forgery (logout CSRF)
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
  • Lack of Secure/HTTP Only flags on non-sensitive Cookies
  • Weak Captcha/Captcha Bypass
  • Forgot Password page brute force and account lockout not enforced
  • OPTIONS HTTP method enabled
  • Reflected file downloads
  • Missing Cache-control
  • Host Header Attack
  • Directory Listing
  • Missing HTTP security headers, (specifically OWASP list of useful HTTP headers)
  • SSL Issues (BEAST, BREACH, Renegotiation attack, Forward secrecy not enabled, weak ciphers)
  • Not performing rate limiting on non-login endpoints
  • Content spoofing
  • HPKP/HSTS preloading
  • Generic examples of Host header attacks without evidence of the ability to target a remote victim
  • Reports exploiting the behavior of, or vulnerabilities in, outdated browsers
  • SPF, DKIM, or DMARC settings & Email Spoofing
  • Mixed Content Scripting & Self XSS
  • EXIF Geolocation data
  • Open WordPress JSON API without an exploit
  • Password Reset token leakage
  • Password policy

InScope

Note: Please run whois lookup before you submit any issues on domains found from Subdomain Scanners.

TargetNotes
https://*.cribl.cloudThe in scope target would be only the tenants that you get assigned after registration
https://*.cribl.io