Evernote Security

I'm concerned about the security and privacy of my notes, so I was pleased to see this on EN's 'Security Overview:' In late 2016, we began migrating the Evernote service to the Google Cloud Platform (“GCP”). Customer data that we store in GCP will be protected using Google’s built-in encryption-at-rest features. Evernote News Unlocking Evernote’s Future. The new Evernote for iOS is a major milestone in our journey to rebuild our apps, our infrastructure, and how we ship software. But it's only the beginning.

If you have a billing issue, cannot log in to your Evernote account, or have any questions about your account's security, please contact our support team.

If you believe you’ve found a security vulnerability in an Evernote application, the Evernote platform, or our infrastructure that could harm Evernote or anyone who uses Evernote, please submit your findings through Evernote's HackerOne Program.

Evernote Security Hall of Fame

The individuals and teams listed below were the first to tell us about vulnerabilities that could harm Evernote or anyone who uses Evernote. Each of them have helped us make Evernote safer. If you disclosed a vulnerability to us before we created the Hall of Fame and would like to be listed, please let us know.

As of November 2019, this hall of fame page is no longer updated - instead, security researchers may receive credit for their findings through our HackerOne program.

2019

Arvind K. facebook.com/1808arvind
Sergey Toshin (@bagipro) https://hackerone.com/bagipro
Nikolay Anisenya
AJ Dumanhug of Secuna Infosec Team — https://secuna.io
Alesandro Ortiz — https://AlesandroOrtiz.com
shell_c0de — https://hackerone.com/shell_c0de
Marcos 'Karz' Santos
Grzegorz Niedziela — @gregxsunday
Zach Zenner — @Anxious_Rabbit_
Carlo Aprigliano — @carloaprigliano
huangfeihong
Guardio Research Team — https://guard.io
Gary Hunter (@pr3cur50r) — salt4n6.com
Renato Chencinski — https://www.linkedin.com/in/renatochen/
Julien Thomas — Protektoid Project
Dhiraj Mishra — @mishradhiraj_
hearmen — http://mohamoha.club
Jim Challis — @disgraceUK
Taha Ismail — @rjtahaofficial

2018

Ali Razzaq — @alirazzaq_
Sameer Phad — @sameerphad72
Muhammad Khizer Javed — https://twitter.com/KHIZER_JAVED47
Haitao Zhang
Vineet Kumar — https://hunter2.com/
Steven Seeley (mr_me) of Source Incite
Gayatri Rachakonda
pavanw3b — https://pavanw3b.com
Tongqing Zhu (Knownsec 404 Team) — https://www.knownsec.com/
ning1022 — https://github.com/ning1022
Sebao — http://www.daimacn.com
Jens Müller — @jensvoid
Lakshay Gupta — https://www.linkedin.com/in/lakshay-gupta-44102a143
Viswanathan Govindarajan (கோ.விஸ்வநாதன்) — https://www.linkedin.com/in/adamviswa/
Tony D'Amato
Syed Abuthahir — https://www.linkedin.com/in/developerabu
Anne
Wai Yan Aung — @waiyanaun9
Jatin Dhankhar — https://jatindhankhar.in/
Adam Chester ( @_xpn_) — https://blog.xpnsec.com/

2017

CongRong (@Tr3jer) — http://www.Thinkings.org/
Marcel Brixel — https://au.linkedin.com/in/brixelmarcel
SHWETABH SUMAN ( @SHWETABHSUMAN11 ) — https://www.facebook.com/profile.php?id=100011024580051
Juba Baghdad — https://twitter.com/JubaBaghdad
Shivam Poddar — https://twitter.com/TheShivamPoddar
Vishal Shukla —https://twitter.com/shukla304
Ali Burak AYDIN —https://www.linkedin.com/in/aliburakaydin
Vijay Mahajan — https://www.facebook.com/vijay12041997
Dmitry Ivanov — https://twitter.com/d1m0ck
ak1t4 — https://twitter.com/knowledge_2014
Raynold Sim
Greg Royce
Jaikishan Tulswani — https://twitter.com/_iamjk
Amit Sangra — Linkedin.com/in/Hitman
Atik Rahman — https://facebook.com/kind.atik
Jay Jani — https://www.facebook.com/janijay007
Julien Joubert-Gaillard — jmclej@gmail.com
Ahmed Raza Memon — facebook.com/cmagicianx
Julian Maynard — https://www.linkedin.com/in/maynardjulian
Alex Kolchanov — kolchanov.info
Markus Roedel — http://www.comaro.net
Gregor Hehenberger — http://www.hehenberger.biz
Zhiyang Zeng — https://lightrains.org

2016

shivankarmadaan — https://twitter.com/shivankarmadaan
nope_
Cadmus — http://cadmus.ru
Yaroslav Olejnik - O.J.A. — https://twitter.com/oja_c7s
ooooooo_q — https://twitter.com/ooooooo_q
Vijju VijayKumar — https://twitter.com/bloggingvijay
Ian Hickey — http://www.ten24web.com
Omar Kurt — @omarkurt
Ty Smith — @tsmith
Himanshu Mehta — https://in.linkedin.com/in/himanshumehta21
M4ster — zhoul2@knownsec.com/
Tianqi Zhang — https://www.vulbox.com/
baimaohui — http://weibo.com/u/5734490991
Adam Chester — @_xpn_
Al Stewart
Yuyang Zhou — http://weibo.com/u/1312149403
Akshay Jain — https://www.facebook.com/akshayjain011
Renato Chencinski — http://inspira.work/
Ahmed Adel Abdelfattah — https://www.facebook.com/00SystemError00

2015

Eusebiu Blindu — http://www.testalways.com
Arseniy Kostromin — https://twitter.com/0x3C3E
Mohamed Khaled Fathy — https://www.facebook.com/Squnity
Jamieson O'Reilly — https://au.linkedin.com/pub/jamieson-o-reilly/70/b64/13a
Othmane Tamagart — @0thm4n_WhiteHat
Edison He — 0xedison@gmail.com
Saurabh Swaroop — saurabhcs0097@gmail.com
Muhammad Osama — https://www.facebook.com/profile.php?id=100001183774319
Shivam Kumar Agarwal — https://www.facebook.com/shivamkumar.agarwal.9
Adam Chester — @_xpn_
Sree Visakh Jain — http://www.wayanadweb.com
Luyi Xing — http://homes.soic.indiana.edu/luyixing
Tongxin Li — litongxin1991@gmail.com
Xiaolong Bai — bxl1989@gmail.com and bxl12@mails.tsinghua.edu.cn
Xiaojing Liao — http://users.ece.gatech.edu/~xliao9/
XiaoFeng Wang — http://www.informatics.indiana.edu/xw7/
Swaroop Yermalkar — @swaroopsy
Markus Roedel — http://www.comaro.net
Shawar Khan — https://www.facebook.com/shawarkhanskofficial
Sergio M Furtado Valeriano — https://www.facebook.com/sergio.valeriano
Kalpesh Makwana — @makwanakalpesh2
Ala Arfaoui — https://www.facebook.com/alaa.arfaoui
Dmitry Kusliy — @dkusliy
Zhe-An Lin — http://about.me/zal
Frans Rosén — https://detectify.com
Raja Kishore Kavi — www.facebook.com/rajakishorekavi

2014

In-Gyu, Tae — graylynx@gmail.com
Dmitry Kusliy — @dkusliy
Francis Rohner — http://francisrohner.com/
Fizer Khan — http://www.fizerkhan.com/
Sachin Hallad
Weichao Sun — http://blog.trendmicro.com/trendlabs-security-intelligence/author/weichao-sun/
Daoyuan Wu and Rocky Chang
Mark Arena — http://intel471.com/
Tianqi Zhang — http://www.freebuf.com/
Rakesh Karankote — @rakeshnagekar
Erik Romijn — @erikpub
Takashi Uchibe — http://uchibe.net/
Krishna Chaitanya Kadaba — http://www.cigniti.com/security-testing
Yu-Cheng Lin — http://www.AndroBugs.com
Mariem El Gharbi — @mstramgram
zhaohuan — http://security.tencent.com
Rakan Alotaibi — @hxteam
Nakul Mohan — https://www.facebook.com/nakul.cia
Anonymous India — @Anonymous_India
Yutong Pei — http://yutong.me/
Eric Chen — http://ericchen.me/
Yuan Tian — Yuan Tian
Robert Kotcher — http://www.robertkotcher.com/
Sebastian Guerrero — @0xroot
Richard Hicks — @scriptmonkey_
Kalki — @kalkihere
Masato Kinugawa — @kinugawamasato
ma.la — http://ma.la
Fabien Duchène — @fabien_duchene
Riccardo Arvizzigno — @riccardoar

2013

ooooooo_q — @ooooooo_q
Th. Michael Eißele
William C. Beegle
Adam Caudill — http://adamcaudill.com
piyokango — @piyokango
John Bicket — http://www.linkedin.com/in/jbicket
Rakan Alotaibi — @hxteam
Rafael Pablos — http://silverneox.blogspot.com
Zakaria Rachid — http://www.4sec.fr
Vladimir Kochetkov — @kochetkov_v
Noriaki Iwasaki — @iwasakinoriaki
Masato Kinugawa — @kinugawamasato
Pralhad Chaskar — @c0d3xpl0it
Denis Kolegov — @dnkolegov
Nitesh Shilpkar — @NiteshShilpkar
Shubham Raj — http://www.openfire-security.net
Osman Doğan — @osmand0gan
Kamil Sevi — @kamilsevi
Ciaran McNally — http://makthepla.net
Olivier Beg — http://olivierbeg.nl
Shahee Mirza — @shaheemirza
Tejash Patel — @tejash1991
Maxim Rupp
Chris John Riley — http://blog.c22.cc
Ahmad Ashraff — @yappare
ma.la — http://ma.la
Hiroshi Tokumaru — @ockeghem
Ryan Dewhurst — http://www.randomstorm.com
Avram Marius Gabriel — http://www.randomstorm.com

2012

Yuji Kosuga — @yujikosuga
ma.la — http://ma.la

2011

ma.la — http://ma.la
Hiroshi Tokumaru — @ockeghem

Introduction

Evernote users trust us with billions of their notes, projects, and ideas. That trust is based upon us keeping that data both private and secure. The information on this page is intended to provide transparency about how we protect that data. We will continue to expand and update this information as we add new security capabilities and make security improvements to our products.

Security Program

Security is a dedicated team within Evernote. Our security team's charter is protecting the data you store in our service. We drive a security program that includes the following focus areas: product security, infrastructure controls (physical and logical), policies, employee awareness, intrusion detection, and assessment activities.

The security team runs an in-house Incident Response (“IR”) program and provides guidance to Evernote employees on how to report suspicious activity. Our IR team has procedures and tools in place to respond to security issues and continues to evaluate new technologies to improve our ability to detect attacks against our infrastructure, service, and employees.

We periodically assess our infrastructure and applications for vulnerabilities and remediate those that could impact the security of customer data. Our security team continually evaluates new tools to increase the coverage and depth of these assessments.

Network Security

Evernote defines its network boundaries using a combination of load balancers, firewalls, and VPNs. We use these to control which services we expose to the Internet and to segment our production network from the rest of our computing infrastructure. We limit who has access to our production infrastructure based on business need and strongly authenticate that access.

Account Security

Evernote never stores your password in plaintext. When we need to securely store your account password to authenticate you, we use PBKDF2 (Password Based Key Derivation Function 2) with a unique salt for each credential. We select the number of hashing iterations in a way that strikes a balance between user experience and password cracking complexity.

While we don’t require you to set a complex password, our password strength meter will encourage you to choose a strong one. We limit failed login attempts on both a per-account and per-IP-address basis to slow down password guessing attacks.

Evernote offers two-step verification (“2SV”), also known as two-factor or multi-factor authentication, for all accounts. Our 2SV mechanism is based on a time-based one-time password algorithm (TOTP). All users can generate codes locally using an application on their mobile device or can choose to have the codes delivered as a text message.

Email Security

Evernote gives you a way to create notes in your account by sending emails to a unique Evernote email address. To protect you from malicious content, we scan all email we receive using a commercial anti-virus scanning engine.

When you receive an email from Evernote, we want you to be confident that it really came from us. We publish an enforcing DMARC policy to improve your confidence that email you receive from Evernote is legitimate. Every email we send from the following domains will be cryptographically signed using DKIM and originate from an IP address we publish in our SPF record.

Mac os image for vmware download. Evernote:

@evernote.com
@emails.evernote.com
@comms.evernote.com
@discussion-notification.evernote.com
@mail-svc.evernote.com
@account.evernote.com
@notifications.evernote.com
@messages.evernote.com

Product Security

Securing our Internet-facing web service is critically important to protecting your data. Our security team drives an application security program to improve code security hygiene and periodically assess our service for common application security issues including: CSRF, injection attacks (XSS, SQLi), session management, URL redirection, and clickjacking.

Our web service authenticates all third party client applications using OAuth. OAuth provides a seamless way for you to connect a third party application to your account without needing to give the application your login credentials. Once you authenticate to Evernote successfully, we return an authentication token to the client to authenticate your access from that point forward. This eliminates the need for a third party application to ever store your username and password on your device.

Every client application that talks to our service uses a well-defined thrift API for all actions. By brokering all communications through this API, we’re able to establish authorization checks as a foundational construct in the application architecture. There is no direct object access within the service and each client’s authentication token is checked upon each access to the service to ensure the client is authenticated and authorized to access a particular note or notebook. Please see dev.evernote.com for more information.

Customer Segregation

The Evernote service is multi-tenant and does not segment your data from other users’ data. Your data may live on the same servers as another user’s data. We consider your data private and do not permit another user to access it unless you explicitly share it.

Data Retention and Deletion

Evernote retains your content unless you take explicit steps to delete notes and/or notebooks. For information on how to delete notes, please see this help center article. For information on our retention policies, please refer to the section of our privacy policy, titled “Information Deletion”.

Media Disposal and Destruction

We securely erase or destroy all storage media if it has ever been used to store user data. We follow NIST’s guidance in special publication 800-88 to accomplish this. For an example of how we securely destroy broken hard drives, please check out this blog article.

We utilize a variety of storage options in Google’s Cloud Platform (“GCP”), including local disks, persistent disks, and Google Cloud Storage buckets. We take advantage of Google’s cryptographic erasure processes to ensure that repurposing storage does not result in exposing private customer data.

Evernote Security Settings

Activity Logging

The Evernote service performs server-side logging of client interactions with our services. This includes web server access logging, as well as activity logging for actions taken through our API. We also collect event data from our client applications. You can view the recent access times and IP addresses for each application connected to your account in the Access History section of your Account Settings.

Transport Encryption

Evernote uses industry standard encryption to protect your data in transit. This is commonly referred to as transport layer security (“TLS”) or secure socket layer (“SSL”) technology. In addition, we support HTTP Strict Transport Security (“HSTS”) for the Evernote service (www.evernote.com). We support a mix of cipher suites and TLS protocols to provide a balance of strong encryption for browsers and clients that support it and backward compatibility for legacy clients that need it. We plan to continue improving our transport security posture to support our commitment to protecting your data.

We support STARTTLS for both inbound and outbound email. If your mail service provider supports TLS, your email will be encrypted in transit, both to and from the Evernote service.

We protect all customer data flowing between our data center and the Google Cloud Platform using IPSEC with GCM-AES-128 encryption or TLS.

Encryption at Rest

In late 2016, we began migrating the Evernote service to the Google Cloud Platform (“GCP”). Customer data that we store in GCP will be protected using Google’s built-in encryption-at-rest features. More technically, we use Google's server-side encryption feature with Google-managed encryption keys to encrypt all data at rest using AES-256, transparently and automatically. You can find additional information on how encryption at rest protects your data here.

Resiliency / Availability

X plane 10 for mac. We operate a fault tolerant architecture to ensure that Evernote is there when you need it.

Evernote Security Breach 2020

In our both our physical data centers and our cloud infrastructure, this includes:

Diverse and redundant Internet connections
Redundant network infrastructure including switches, routers, and firewalls
Redundant application load balancers
Redundant servers and virtual instances
Redundant underlying storage

Both Google and our colocation vendor provide fault tolerant facility services including: power, HVAC, and fire suppression.

We provide live and historical status updates on our service availability here: https://twitter.com/evernotestatus and http://status.evernote.com.

We back up all customer content at least once daily. We do not utilize portable or removable media for backups.

Physical Security

We operate the Evernote service using a combination of cloud services and physical data centers.

For our data centers, we secure our infrastructure in a private, locked cage that includes 24x7x365 monitoring. Access to these data centers requires at a minimum, two-factors of authentication, but may include biometrics as a third factor. Each of our data centers has undergone a SOC-1 Type 2 audit, attesting to their ability to physically secure our infrastructure. Only Evernote operations personnel and data center staff have physical access to this infrastructure and our operations team is alerted each time someone accesses our cage, including a video record of the event.

For our cloud services, we use the Google Cloud Platform. Google has undergone multiple certifications that attest to its ability to physically secure Evernote’s data. You can read more about Google Cloud Platform’s security here.

All Evernote data resides inside the United States.

Privacy and Compliance

Please see our privacy center for more information. We do not publish a Service Organization Control (“SOC”) report.