Replicated is designed to run behind a firewall or in an airgapped environment. To access the on-prem web console, we currently mandate that you either provide a SSL certificate or use our self-signed certificates. We also highly encourage our third-party vendors to always run behind either a provided SSL certificate or the Replicated-generated certificate.
When utilizing the non-airgapped Replicated solution, there is limited communication between the Replicated daemon and replicated.com servers. Only the Replicated installable software communicates to Replicated’s servers. All data is transmitted over SSL/TLS and encrypted end to end. These communications are enabled by your IT person in accordance with your firewall/proxy settings.
User passwords for the Replicated vendor portal are secured with bcrypt. User passwords are never stored in plaintext and never visible to Replicated’s staff.
The major components of our developer infrastructure are only accessible through our VPN.
Where available, we mandate that all Replicated employees utilize 2FA for services that are not behind our VPN.
All production systems run on secured, hardened and patched operating systems.
In our build process, we utilize static code analysis to detect for vulnerabilities. We run these tools against every build and do not promote unless we get a clean bill of health.
As part of our EnterpriseReady project, we included Security as one of the main tenets of enterprise software. For SaaS companies working with larger enterprise IT buyers, it is incredibly important for product security to be an area of strength.
Our systems are hosted in ISO 27001 and FISMA-certified data centers managed by Amazon Web Services. The servers are controlled by Amazon’s strict security measures, including onsite security staff, video surveillance and two-factor authentication for physical access. These measures are verified by third-party auditors.
Input and feedback on our security, as well as responsible disclosure, is always appreciated. Replicated maintains a bug bounty program through HackerOne. For an invitation to submit reports for a bounty, please email [email protected]. We will provide bounties for relevant issues in accordance with the terms of our bug bounty program.
Please act in good faith toward our users’ privacy and data during this process. White hat researchers are always appreciated and we won’t take legal action against those offering security reports in good faith.
Reports from current and potential customers of any concerns are appreciated, as well.
If you would like, you can use our PGP key to secure communicate with us. Our PGP key can be downloaded from https://github.com/replicatedhq/security/blob/master/replicated-security.asc.
Our public key fingerprint is
7DE1 F885 2DB4 1E88 7A56 68A5 E682 0850 4F38 05FA.