🚀 [Open Alpha] Finally a Tool for Bubble Security - Introducing Flusk Vault

Hi everyone
At Flusk, we are working on the security of Bubble applications.
We did a lot of security audits, and we finally managed to automate 90% of them internally. So we will soon release a security tool to do automated audits on Bubble applications.

Here are some of the points we cover:

• Privacy rules checker
• Swagger / Editor privacy
• Bad redirections / Compromised page access
• Admin injections
• URL parameter brute-forcing
• Cookie exploit
• XHR requests crawler / Misconfigured do a search
• Sensitive URL parameters, headers and URLs in APIs
  …

268896c8-aba6-46e6-8cd4-8febdb9d9f9a1512×866 112 KB

And some of the already integrated features:

• Automated test when pushing a version live
• Multi-branch/version support
• Unlimited tests
• Complete explanations about issues and solutions
• Full support through chat and video call

Screenshot 2023-01-23 at 14.40.352390×1576 407 KB

We need beta testers (agencies, freelancers and developers) to help us build the product hand in hand with our users and to know how we can best integrate into their app production processes.

If you want to help us make the Bubble ecosystem more secure, feel free to reply and we’ll invite you to our private Alpha so you can test and give us your feedback.

Otherwise, we’re planning on releasing the tool for an open beta by March 2023!

We’ll post updates here as we move forward with the tool.
See you soon!

Victor from Flusk

Flusk - a hub of tools and services for Bubble makers and businesses

Interested

I think bubble should just buy this right away and implement it as part of the editor. Flutterflow
already have a similar thing going.

But at this price… they probably can’t afford it, and no one else either for that matter hehe.

### Pricing
### Flusk Membership
Starting from 3 500€ / month

Agree! Especially as Bubble knows well which data is used where and how its setup!

I reassure you this is the pricing for another service. We’re planning on releasing this tool 30-80$
All beta testers will get a free discount by the way.

Love this service - something a little tangential that caught my eye - you say you’re able to automatically audit when an app is updated - how do you detect that an app has updated? Are you polling a site to check if its deploy id has changed or do you have another system in place that doesn’t require constantly pinging an app?

At this stage, we ping apps on a regular basis (every 30 minutes) to detect any updates on their versions/branches.

We do that by fetching the “last_change” UNIX timestamp that every app exposes and comparing it with our internal record/save of your app!

That makes sense Thanks for sharing

You’re welcome!

I’d love to take part in the Alpha

Sure! Just sent you a link!

Happy to sign up for the alpha

Just signed you in, you should have received the invitation

Please sign me up for the alpha

interesed in the alpha!

Just invited you @c.wittelsberger & @danibrario

We received a few messages from our current beta testers about privacy, so for those who also share this concern, here is an article about how we process data:
https://help.flusk.eu/en/articles/6933917-how-does-flusk-vault-process-your-application-data-and-privacy

Good on you folks for writing that article because my first thought when you posted about your tool (and no offense, of course, because it was the same thought I had when at least two similar tools were posted over the past year or two) was something along the lines of, “Cool… but why should I trust you guys with my app?” Don’t take that personally, please, because I am probably one of the most paranoid people you’d ever meet. Hell, it’s hard for me to trust Bubble sometimes, and they built the damn platform.

Again, though, kudos on hitting the trust thing head on because I believe it’s an uphill battle, and I wish you the best of luck with it because security is such an important piece of the puzzle.

Thanks! Yes, I totally agree with you, we’re trying to offer a security tool which… in itself could be a security vulnerability.

Thanks for your comment though

Invite me please

Done!