Security at Replicated

Download our Security Whitepaper

Secure Product Development Lifecycle

Our Security Development Lifecycle (SDL) consists of a set of practices that support security assurance and compliance requirements. The framework helps developers build more secure software by reducing the number and severity of vulnerabilities.

Security Framework

We utilize frameworks for security controls to limit exposure to OWASP Top 10 security flaws. These include inherent controls that reduce our exposure to Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection (SQLi), among others.

Code Base Testing

In addition to automated testing, our QA department reviews and tests our code base. Dedicated application engineers on staff identify, test, and triage security vulnerabilities in code.

Analysis Tooling

Our source code repositories are continuously scanned for security issues via our integrated static analysis tooling.

Vulnerability Fixes

Our application dependencies are continuously scanned for CVE information and remediated through automated pull requests when fixes are released.


We work hard to help you secure the software supply chain and have been delivering SBOMs alongside every KOTS, kURL, and Troubleshoot release.

3rd Party Tested

Bug Bounty Program

We believe in responsible disclosure and support a community of ethical hackers with HackerOne 

Penetration Testing

We contract with expert firms to evaluate the security of our products. Three of our core components are open source and can even check for yourself.


Replicated is SOC 2 Type 2 compliant. You can also download our CSA STAR self assessment.

Security is of the utmost importance at Replicated.

As part of our EnterpriseReady project, we included Security as one of the main tenets of enterprise software. For SaaS companies working with larger enterprise IT buyers, it is incredibly important for product security to be an area of strength.

Do you have a security concern you’d like to report?

Input and feedback on our security, as well as responsible disclosure, is always appreciated.

Replicated maintains a bug bounty program through HackerOne. For an invitation to submit reports for a bounty, please email We will provide bounties for relevant issues in accordance with the terms of our bug bounty program.
Please act in good faith toward our users’ privacy and data during this process. Ethical researchers are always appreciated and we won’t take legal action against those offering security reports in good faith.

If you would like, you can use our PGP key to securely communicate with us. Our PGP key can be downloaded from here.

Our public key fingerprint is 7DE1 F885 2DB4 1E88 7A56 68A5 E682 0850 4F38 05FA.

Our vulnerability patching policy is part of our product documentation.

Current Disclosures

Our current list of security disclosures

Replicated Security Whitepaper

For a deeper look into Replicated’s security posture please read our published whitepaper.