As a part of selling our solution to enterprise customers we complete penetration testing regularly. The results from which identify which elements of the Bubble environment (outside the control of the application developer) that are out of compliance with current GDPR, PCI DSS and OWASP ASVS requirements.
Where should these results be sent? Does anyone care, that a vulnerability in the Bubble environment immediately prevents 100% of its customers being able to claim GDPR compliance?
Our last round of testing has identified two libraries preventing GDPR compliance being granted and raft of others that a low vulnerabilities. Where do we send this information?
Or is the answer that such vulnerabilities should be hashed out here on the forum? Looking through the forum, the tendency is to try and shut these posts down as fast as possible rather than establish a proper communication flow. Thoughts?
3 Likes
You can contact support - but any claim that you can’t build GDPR compliant apps on Bubble is likely being made by someone who is trying to sell you their security services…
1 Like
That’s always a concern, but unless you can find a way to manually update your own version of jquery-ui we remain on a version that the current requirement identifies as having vulnerabilities. Been down the support track multiple times and get the same response, “Not Our Concern” and then we escalate and then more “Not Our concern” and then eventually, someone calls. But each time through it, the “someone” has been different. Executive, Sales Reps, etc. Maybe we do we need to just post it publicly and get some attention on it.
EDITED Also, search the forums for this. Someone was denied Zoom Marketplace registration because of the same jquery-ui JS library in August 2022. Funny thing is its still the same version today as it was back then (v1.12.1). My point is, that nobody cares. This puts us all in a difficult situation when we have customers that do 
You’re confusing security and compliance.
An app with actual, severe vulnerabilities, is not automatically non-compliant (let alone one outdated JS library). Compliance is about risk management, not security. It’s about demonstrating that you’ve assessed risks and put in place adequate safeguards and compensating controls, rather than achieving a perfect, zero-vulnerability state.
I promise that if you have a production app built on Bubble, this is not your app’s biggest security issue.
3 Likes
Email security@bubble.io and keep escalating. There’s a chance this doesn’t affect Bubble depending on how they’ve implemented it.
@josh
Thanks @randomanon. Good advice.
1 Like
After following @randomanon advice, I’ve waited a week only to have Support step in and close the ticket without providing any information on how they propose to deal with the situation. They did identify how you might be able trace a library back to it’s plug in which was useful, but in our situation, the 11 vulnerabilities we sent all sat within native Bubble libraries. Not sure of the next step, but I’ve asked support to not close the ticket and get an answer from the security team so that we can show our customers that we take security seriously and have a plan in place to protect their data!
1 Like
Bubble support is variable unfortunately.
I once reported a security concern and received a useless red tape response, so I gave up on that support agent and opened another ticket. The second support person actually followed up on the issue, and the developers fixed the security bug within that week.
You just have to keep trying.
Further update…of the 11 vulnerabilities we sent 2 relate to achieving PCI & GDPR compliance. Here is there response to those two libraries needing to be updated:
- “We know” (we know they have known for more than two years now)
- “We know now”
No plan. No detail. Nothing that can be used by an app builder to help their customers understand the plan for compliance in the future. I’m sorry. I wish I was wrong here, but we go through this every time we run a test. No accountability to actually provide a platform that adheres to the compliance standards they already claim.
While the rhetoric is “Yes, the platform is secure and compliant but it’s how you build the app that matters”, is actually false. You’re out of compliance from the get go because fundamental components of infrastructure won’t pass the tests required.
The one piece of guidance I’d give is that not using the Bubble RTF fields can reduce the non-compliant libraries to 1.
1 Like
You are right on the last point. And while you are right that “vulnerabilities” do not determine “compliance” there are some that do. In our case we are being told that two specific vulnerabilities are not acceptable for the testing organization to issue a compliant status because they violate the risk profile of the compliance framework. The more I research the specifics, I understand their reasoning.
My larger point its that there was any due diligence at Bubble, I’d be having this conversation with them, but instead, we are forced to have it here.
@sanastasi I’d love to pass this along internally to some team members so they can take a look. Would you mind sending me a DM (to protect your privacy) with more details around the tests, the app, etc? It would be really helpful
I appreciate the offer @fede.bubble although such a next step serves to validate the frustration I’m sure many bubblers feel about having Bubble own the platform’s GDPR/PCI compliance status.
Support tickets lead nowhere. Emails to @josh or @emmanuel lead nowhere. Emails to security@bubble.io lead nowhere. Then a community moderator graciously offers to “pass it along”. To whom? Whomever it is, “they” already have it.
July 2020 Forum Post
September 2022 Forum Post
August 2022 Forum Post
May 2022 Forum Post
Don’t worry. If we close it. It will go away.
I just received another update that can best be summarized as, “No plans to resolve anything because it complex.” Clearly.
It’s not my privacy I’m worried about, it’s the integrity of every Bubbler trying to convince their customer’s to buy a non-compliant (GDPR/PCI) solution.
Despite having spent countless hours pouring their soul into the application, the best they can say is that the base platform is non-compliant and there is no plan to update jquery.js or quill.js in the foreseeable future. Bitterly disappointing for anyone trying to take the platform seriously.
1 Like
Good to know
They don’t allow HSTS headers either.
The internet security area is full of bullshit, trying to convince people of insecurities
1 Like
