Our Security Development Lifecycle (SDL) consists of a set of practices that support security assurance and compliance requirements. The framework helps developers build more secure software by reducing the number and severity of vulnerabilities.
We utilize frameworks for security controls to limit exposure to OWASP Top 10 security flaws. These include inherent controls that reduce our exposure to Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection (SQLi), among others.
Code Base Testing
In addition to automated testing, our QA department reviews and tests our code base. Dedicated application engineers on staff identify, test, and triage security vulnerabilities in code.
Our source code repositories are continuously scanned for security issues via our integrated static analysis tooling.
Our application dependencies are continuously scanned for CVE information and remediated through automated pull requests when fixes are released.
We work hard to help you secure the software supply chain and have been delivering SBOMs alongside every KOTS, kURL, and Troubleshoot release.
We contract with expert firms to evaluate the security of our products. Three of our core components are open source and can even check for yourself.
Replicated is SOC 2 Type 2 compliant. You can also download our CSA STAR self assessment.
Security is of the utmost importance at Replicated.
As part of our EnterpriseReady project, we included Security as one of the main tenets of enterprise software. For SaaS companies working with larger enterprise IT buyers, it is incredibly important for product security to be an area of strength.
Do you have a security concern you’d like to report?
Input and feedback on our security, as well as responsible disclosure, is always appreciated.
Replicated maintains a bug bounty program through HackerOne. For an invitation to submit reports for a bounty, please email email@example.com. We will provide bounties for relevant issues in accordance with the terms of our bug bounty program.
Please act in good faith toward our users’ privacy and data during this process. Ethical researchers are always appreciated and we won’t take legal action against those offering security reports in good faith.
If you would like, you can use our PGP key to securely communicate with us. Our PGP key can be downloaded from here.
Our public key fingerprint is 7DE1 F885 2DB4 1E88 7A56 68A5 E682 0850 4F38 05FA.