Security at Replicated

Secure Product Development Lifecycle

Our Security Development Lifecycle (SDL) consists of a set of practices that support security assurance and compliance requirements. The framework helps developers build more secure software by reducing the number and severity of vulnerabilities.

We utilize frameworks for security controls to limit exposure to OWASP Top 10 security flaws. These include inherent controls that reduce our exposure to Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection (SQLi), among others.

In addition to automated testing, our QA department reviews and tests our code base. Dedicated application engineers on staff identify, test, and triage security vulnerabilities in code.

Testing and staging environments are separated from the production environment. No actual customer data or vendor data is ever used in the development, staging, or test environments.

Our source code repositories are continuously scanned for security issues via our integrated static analysis tooling.

Our application dependencies are continuously scanned for CVE information and remediated through automated pull requests when fixes are released.

We work hard to help you secure the software supply chain and have been delivering SBOMs alongside every KOTS, kURL, and Troubleshoot release.

3rd Party Tested

Bug Bounty Program

We believe in responsible disclosure and support a community of ethical hackers with HackerOne 

Penetration Tested

We contract with expert firms to evaluate the security of our products. Three of our core components are open source and can even check for yourself.


Replicated is SOC 2 Type 2 compliant.

You can also download our CSA STAR self assessment.

Security is of the utmost importance at Replicated.

As part of our EnterpriseReady project, we included Security as one of the main tenets of enterprise software. For SaaS companies working with larger enterprise IT buyers, it is incredibly important for product security to be an area of strength.

View the Guide

Do you have a security concern you’d like to report?

Input and feedback on our security, as well as responsible disclosure, is always appreciated. 

Replicated maintains a bug bounty program through HackerOne. For an invitation to submit reports for a bounty, please email We will provide bounties for relevant issues in accordance with the terms of our bug bounty program.

Please act in good faith toward our users’ privacy and data during this process. Ethical researchers are always appreciated and we won’t take legal action against those offering security reports in good faith.

If you would like, you can use our PGP key to securely communicate with us. Our PGP key can be downloaded from here.

Our public key fingerprint is 7DE1 F885 2DB4 1E88 7A56 68A5 E682 0850 4F38 05FA.

Our vulnerability patching policy is part of our product documentation.

Current Disclosures

To view our current list of security disclosures, please visit our public security disclosures page.

Replicated Security White Paper

For a deeper look into Replicated’s security posture please read our published Security White Paper.