[SahAssar]

I haven't read through the landing page yet, but running js from third party sources without SRI and having a very lax CSP[1] (allowing 235 host/resource combinations) does not exactly scream "security" to me. See for example https://dmsec.io/hacking-thousands-of-websites-via-third-par... which is also on the frontpage right next to you.

The CSP on your login screen is slightly more restricted, but still allows 102 host/resource combinations through (not counting the host hosting the page itself).

Personally when evaluating a security product I'll check this stuff since if a company does not take proper security measures for themselves then how can I trust them to do it for their clients?

[1]: https://pastebin.com/RvUypSYP

[jbaviat]

You are correct, our content security policy is not perfect, and we are gradually improving it. Security is a journey and there is no such thing as perfect security. We are striving to incrementally improve everything we are doing as our team is scaling.

[SahAssar]

My question is: If you talked to a customer and they said "we have around 200 hosts not controlled by us running code and reading data from our systems, is that a problem?" would you say "no, that is totally fine"?

It doesn't need to be perfect, but I think that for a security firm we should be able to do better.