Security at Replicated

Security is essential to enterprise software. At Replicated, we are always working to improve the security of our software and internal processes. This page describes some of the measures we employ to protect our users’ production environments.

If you have any questions please email [email protected].

Communication and storage

Replicated is designed to run behind a firewall or in an airgapped environment. To access the on-prem web console, we currently mandate that you either provide a SSL certificate or use our self-signed certificates. We also highly encourage our third-party vendors to always run behind either a provided SSL certificate or the Replicated-generated certificate.

When utilizing the non-airgapped Replicated solution, there is limited communication between the Replicated daemon and replicated.com servers. Only the Replicated installable software communicates to Replicated’s servers. All data is transmitted over SSL/TLS and encrypted end to end. These communications are enabled by your IT person in accordance with your firewall/proxy settings.

User passwords for the Replicated vendor portal are secured with bcrypt. User passwords are never stored in plaintext and never visible to Replicated’s staff.

Development processes

The major components of our developer infrastructure are only accessible through our VPN.

Where available, we mandate that all Replicated employees utilize 2FA for services that are not behind our VPN.

All production systems run on secured, hardened and patched operating systems.

In our build process, we utilize static code analysis to detect for vulnerabilities. We run these tools against every build and do not promote unless we get a clean bill of health.

Server security

Our systems are hosted in ISO 27001 and FISMA-certified data centers managed by Amazon Web Services. The servers are controlled by Amazon’s strict security measures, including onsite security staff, video surveillance and two-factor authentication for physical access. These measures are verified by third-party auditors.

Reporting a security concern

Input and feedback on our security, as well as responsible disclosure, is always appreciated. Replicated maintains a bug bounty program through HackerOne. For an invitation to submit reports for a bounty, please email [email protected] We will provide bounties for relevant issues in accordance with the terms of our bug bounty program.

Please act in good faith toward our users' privacy and data during this process. White hat researchers are always appreciated and we won't take legal action against those offering security reports in good faith.

Reports from current and potential customers of any concerns are appreciated, as well.