Introducing Flusk Vault, Finally a Security Tool for Bubble Apps

Flusk Vault monitors your Bubble app round the clock for your secrets and sensitive data.
We catch the leaks and mistakes, you build a secure and compliant app.

We just released our first public version during our Inauguration Day in Paris with Alegria Group on March 29th, 2023.

So it is now live, and you can try it for free now by clicking this link.

Trailer

Covered Security Points

We cover more 20+ security points, and add new every week. We are currently at 60% of all the issues we want to integrate.
Here are some of them:

• Data API
• Privacy Rules Checker
• Data Leaks Scraper
• Page Protection Checker
• API Connector Authentication Keys
• API Connector Sensitive URLs
• API Connector Sensitive Initialization Values
• Backend Workflows Protection
• Editor Privacy
• Third-party Access Manager
• Compromised Workflows Finder
• Password Policy
• OpenAPI Swagger File

And you can find the full list on our website.

Features

Continuous Security

63fa5b40478a96029c6b367d_Frame 56820×577 46.7 KB

Automated tests when you push live (no plugin or Chrome extension required)
Define scheduled tests on a regular basis (eg. Run a test on version ‘live’ every Friday at 02:00am)
Stay alerted with our notification system by Email, SMS, Phone and Push notifications

Best Security Checklist

63fa641b69cf80453701fec0_Screenshot 2023-02-25 at 8.39.51 PM-p-16001600×1060 110 KB

We are always up to date about Bubble flaws regarding security.
Focus on features, not on meticulous and hard knowledge you’ll take hours to learn. We can do it for you.

Comprehensive issues

63fa5f831098aa40be956519_Screenshot 2023-02-25 at 8.13.37 PM-p-16001600×1059 238 KB

Flusk Vault only presents vulnerabilities when they are actual issues, allowing you to save focus.
Our tool facilitates your team’s comprehension of security by providing documentation for every issue and reverse-engineering insights for Bubble developers.

You can preview it from this link.

Collaboration-ready

63fa601a6b8a4b18f590ff42_Screenshot 2023-02-25 at 8.22.40 PM-p-16001600×1059 105 KB

Flusk Vault seamlessly integrates into your development process, providing an overview of the necessary steps to ensure security.
With the ability to share access with team members and assign tasks to collaborators, our tool facilitates efficient collaboration.

Review from our customers

Jorge Del Carpio, CEO at Kreante

64201a5c22b667c464a80bd7_300956416_486825573451590_5809792604336242728_n-modified918×918 131 KB

“Vault has been crucial in improving the security of all applications developed by Kreante. […] Its detailed reporting and comprehensive analysis helped us optimize the application. Highly recommend Flusk to improve security and performance.”

Claire Le Dren, Head of Product at Lhyfe

“Using no-code allowed us to test and develop new features hyper-agilely. Lhyfe’s project is strategic and securing customer data is crucial so Flusk’s quick support is vital. Working with Wesley and Victor - Bubble geniuses, is pleasant and reliable.”

Eliot Boutantin, CEO at Unpoco

“I had trouble making my Bubble app 100% safe. It was time-consuming ans painful. When I tested Vault for the first time I was amazed and released. Because it’s so simple to use. And you miss no more issues.”

Q&A

Will Flusk Vault slow down my app?

No! Flusk Vault won’t interfere with your app’s performances
This is because nothing is installed on your app and we use limited requests/queries to your app to deliver our security reports.

How does Flusk Vault process my application data and privacy?

We understand that granting access to your application and its data may cause concern, but please be assured that we will never access or use your private data without your explicit consent.

Flusk takes privacy very seriously and follows practices to ensure the security of user data. All user data is encrypted in transit and at rest, and all user interactions with the system are protected by authentication protocols. Additionally, Flusk Vault maintains rigorous internal policies and procedures to ensure that user data remains private and secure.
Learn more here: How does Flusk Vault process your application data and protect your privacy? | Flusk Help Center

Is Flusk Vault GDPR compliant?

At Flusk, we recognize that the General Data Protection Regulation (GDPR) is a crucial concern, particularly when it comes to safeguarding your customer data. This article provides detailed information about our policies and practices that ensure GDPR compliance.

TL:DR - The Flusk tools are compliant with the European GDPR

If you’d like to gain insight into how we handle the processing of your app’s data and address privacy concerns, we suggest you read our comprehensive article on the topic. The link to this article can be found here: How does Flusk Vault process your application data and protect your privacy?

Otherwise, you can read the full summary of our last GDPR audit.

Can I use Flusk Vault if I’m on a Free Bubble plan?

Yes you can
Every Bubble plan is compatible with Flusk Vault, including the free tier.

Pricing

We adopted a Fair Pricing, because we want security to be accessible for everyone.
So for the moment, our pricing starts at $65 for a 1-year license.
With a license, you can run as any tests as you want. (Yes, this is really cheap).
We plan to update our pricing really soon, probably around April, 6.

The pricing is dynamic and depends on the number of employees in the company.

Here is the pricing sheet for a 1-year license for businesses running on Bubble, on 03-30-2023 :

• 1 employee : $65
• 2 employees : $145
• 3 employees : $285
• 4 employees : $440
• Up to 7 employees : $730
• Up to 10 employees : $990
• More than 10 employees : on custom quote. Please contact us here.

Links & Access

You can try Flusk Vault from now.

Is this license per application or can I use it on all applications I build?

Hey Raph, this is a licensing per application, as it would otherwise be too difficult to price single developers and big agencies running thousands of projects a year

We just released a new version of Flusk Vault. The goal with this update was to reduce the amount of false-positive issues as well as reduce the “overwhelming” feeling when first using Vault based on your feedbacks.

Flusk Vault 1.1

New Issue Engine for APIs

We’ve redesigned our testing engine to provide more accurate issues for APIs.

We build an AI model to detect whether or not your integrated API calls contain providers that does not enforces authentification and if this provider is sensitive in order to trigger the “Unprotected API call URL” issue.
For example, having the URL of your Xano backend visible might be sensitive, but having the URL of a favicon-fetcher API might not be.

We hope that this would significantly reduce the amount of false-positive issues.

64305e07999ca00da8840606_4d828a1e9bcc88dcf61749c1a7a7aa652228×1018 88.1 KB

Predict AI Redesign for Datatypes and Pages

In the past, false-positive from our Predict AI would generate a lot of unnecessary issues on installation.

From now on, only datatypes and pages reviewed manually will be checked by our tool to ensure consistency. However, new fields and pages created after the installation of Vault will still be automatically predicted by Vault.

Resolution Details for Issues

‍
We’ve worked on including more details about why an issue has been resolved automatically in order to provide you with more context.
Some issues now have more additional details, and they are now version-related!

64305f0f737e7471e7e635a0_36f4140a59c7245dbf6bbcaba0cdaa6f1218×1476 114 KB

‍

We’ll see you very soon for Flusk Vault 1.2 with very exciting features incoming.

In the meantime, you’re welcome to check the full changelog and to participate in our feature board!

Had the opportunity to test the product in beta.

Amazing work, really useful information and insights and clear instructions on how to clear security issues.

A must have for every serious app !

——-

Thomas
Founder @ Nocodable

The design on this app is pretty much perfect. Which I guess is subjective. But everything works, resizes, flows as it should. Started to try and figure out how you connect everything but just stopped.

Very impressive. Very.

Bubble security is becoming more of a focus as of late. Wishing you success.

Thank you Thomas for all the feedback you provided during the beta-testing phase.
Building such products wouldn’t be possible without devoted people like you!

Thank you so much for the positive feedback @lollib !
We’ve spent a LOT of time working on the UI/UX with our beta testers, and seems like it was the right way to go!

This is definitely the most exciting update of Flusk Vault since its release, I’m happy to introduce you to Flusk Vault 1.2!

Live tour with Victor

In a Nutshell

Flusk Vault is now able to detect data leaks on your app from misconfigured Privacy Rules along with a new tool to check your Privacy Rules, we also got rid of the collaborator access, which is now optional!
Finally, we release Flusk Earn, a new way to gain exclusive benefits from referring friends and helping us grow!

No Collaborator Acces Required

We officially signed the end of the requirement to add our account as a collaborator on your app. This was a frequent request from our users, especially agencies.
Some security points obviously can’t be checked without permission on your application, but we manage to keep them as low as possible, and you can always keep us as a collaborator to benefit from them!
Here’s the updated list of the security points Flusk Vault checks on your Bubble app along with the access level it requires : Flusk Vault Security Features

New Ownership Verification Process
Therefore, when installing Flusk Vault you can now verify the ownership of your app using another method: simply by creating a page on your app!

Data Leaks in Flusk Vault

We just integrated Data Leaks in the tool, as this was at the core of our roadmap for a while.
The tool is now able to check for data leaks (from misconfigured Privacy Rules and Database Queries) anywhere on your pages (any group, element, pages or repeating group!)
We also improved our Predict AI to only trigger an issue when the data leak contains sensitive fields.

We’re excited to hear your feedback on this feature! Feel free to reach out if you have any suggestions.

New Privacy Rules Checker Tool

Flusk Vault will now create issues when data leaks are found, but it doesn’t make the process of defining your Privacy Rules easier right?
Well, it actually does, because we’re also releasing a new tool (accessible from your Vault Dashboard) to check data leaks on your app in real-time, making your fix process much easier and more comprehensive.

The tool is also accessible publicly (without access to advanced settings) from this link: Free AI Privacy Rules Checker

Flusk Earn & Referrals

Since we built Flusk, we always received a very high engagement from our community and users, and most of you always want to help us grow and build new features.
That’s why we thought it was time to give back by releasing a new system to gain access to exclusive benefits and discounts depending on your support to us.

The new Flusk Earn dashboard lets you see your current reward level based on your engagement.
You can now earn points by participating in our Feature Board, promoting us and referring users.
Our referral system is now also working and lets you earn commissions on sales!

Better (…or Fewer) Notifications

We noticed that some of you were receiving quite a lot of notifications from the tool, especially when you had the tests on deploy activated.
That’s why we now rebalanced our system to send you fewer notifications.
You can now also set a maximum of notifications you want to receive in the “Notification” tab of your settings in the Flusk dashboard.

Minor changes

• You can now see who scheduled tests
• We improved the UI of the issues tab and added pagination to make the tool load faster (and save some WU!)
• Fixed issues that kept coming back even when ignored
• Fixed false-positive when detected public URL in API calls and
• Deprecated the sample issue

Hey @weswas and @vnihoul77

This has been very helpful. I was able to check some of my apps and see a couple of helpful things. Most are just things that should be public, so it’s not an issue. The privacy checker is very helpful. Thanks for setting this up. It goes a step further into testing to allow us to really lock down our apps.

I will be referring my clients to check their apps on here to make sure they are more secure. I also will continue to work with them to secure their apps. I can walk them through it in our sessions.

Thanks

@j805 www.NoCodeMinute.com

Thank you so much for your positive feedback @J805 !
Really appreciate it

Hey @weswas @vnihoul77,

Great product overall! The privacy rules checker, in particular, is a gem!

Wow, thank you Johnny for the kind words!
Also, thanks for being one of our most devoted beta-testers.

Definitely, product awesome, privacy rules checker an eye opener.

Another great and exciting update of our security tool; I’m happy to introduce you to Flusk Vault 1.3!

In a Nutshell‍

Our latest update includes the ability to generate and export Security Reports and Certificates directly from your dashboard in a PDF format. This addition ensures you have easily accessible and tangible records of your data security status at your fingertips.

Moreover, Flusk Vault now boasts a robust mechanism to detect vulnerabilities within reusable elements. From now on, there are no parts of your app that Flusk Vault cannot check anymore!

As always, we have also enriched Flusk Vault with a myriad of new features, designed to accelerate your operations and simplify your experience.

PDF Exports and Security Certificates‍

You’ve asked, and we’ve listened. We’ve finally added automatic PDF exports to our service.‍‍
What does that mean for you? Well, you can now quickly grab a Security Report of your app - that’s a neat document showing you all about your app’s security, the versions it covers, and the security points that were checked.

But wait, there’s more! We’re also offering a Security Certificate. That’s an official paper from us at Flusk, saying your app is secure and ready to go.

646750fd9bcc8f401f9a30d5_Screenshot 2023-05-17 at 11.09.48 AM1188×1490 203 KB

This is a fantastic way to show your customers and investors that your app is safe and sound. Plus, it’s super easy to do. This is all about giving you the tools you need to build trust and keep your app in tip-top shape.

Support for Reusable Elements‍

Guess what? We can now discover vulnerabilities within reusable elements.
This means we can catch security issues (like wonky workflow actions) even within these reusable parts of your app.

So you can kick back and relax, knowing your app is super secure.‍

Automatically Rename Fields in Bubble‍

We all know that setting up Privacy Rules can be a tough gig – it takes ages and it’s super easy to mess up.
But guess what? We’ve got a cool new feature that’s gonna help you spot those tricky sensitive fields fast when you’re setting up your Privacy Rules or building your app.
Here’s the magic: you can sync up Flusk Vault with your Bubble Editor, and we’ll add a “” emoji right in front of every sensitive field in your editor. So you’ll know exactly what to watch out for!

646752ff6a01ed5d053ca4f3_Screenshot 2023-05-19 at 12.44.05 PM2416×1088 171 KB

Just a heads-up, you need to have collaborator access enabled to switch this feature on.
Sound good? Then don’t wait! Switch on this feature right now in the “Tools & Schedule” tab on your Flusk Vault dashboard.‍‍

Bulk Sensitivity Review‍

Alright, let’s be honest, reviewing the sensitivity of pages and fields within the Flusk vault app was a bit of a pain, wasn’t it?

We totally get it, and hey, we never meant for it to be so tricky.But here’s the great part - we’ve been listening to your feedback and we’ve just given our review system a total makeover.

Now, you can review your database fields and pages all in one go with our new bulk review feature.

So, what used to take you a few grueling minutes, now only takes a few easy-peasy seconds! How awesome is that?

We can’t wait for you to try it out!‍‍

Minor changes

Improved Collaborator Issue‍

We’ve tweaked things so that we won’t flag a collaborator issue when the email they’re using is from the same domain as your app’s set domain.

This should help cut down on those pesky false positives.
And guess what? We’ve done the same for emails that match the domain of the app owner, too.

We’re hoping this will make your life a little easier by reducing the number of issues you need to check out and ignore. Because, let’s face it, who needs extra work, right?‍

New Vulnerability Covered‍

We’ve found and added a new potential security issue to our tool: Google Maps API keys.

Just a heads-up, the Google Maps API key you’re using on Bubble is public.
So, to make sure it only works within your domain, you need to set up the right HTTP referrer restrictions.

Don’t worry, we’ve got you covered. Our tool now fetches your API key and checks if those HTTP referrer restrictions are in place.
Here’s the documentation about the new Google Maps Token issue.‍

I’ll see you very soon for Flusk Vault 1.4 with always-exciting features such as our security widget and our plugin cashback system!
In the meantime, you’re welcome to participate in our feature board!

Thanks guys for helping Bubble ecosystem to be more secured!
With Flusk, we can easily enhance the security of my apps and protect sensitive data. The seamless integration with Bubble makes it a must-have tool for any Bubble developer. Highly recommend giving Flusk a try

Thanks Jorge for your feedback, your support and for being one of the first serious early-adopters we had when we launched Vault.
Keep up the good work at Kreante