Security at Replicated

Security is essential to enterprise software. At Replicated we are always working to improve the security of our software and internal processes. This page describes some of the measures we employ to protect our user's production environments.

If you have any questions please email security@replicated.com.

Communication and storage

Replicated is designed to be run behind a firewall or in an airgapped environment. To access the on-prem web console we currently mandate that you either provide a SSL certificate or use our self-signed certs. We also highly encourage our 3rd party vendors to always run behind either a provided SSL certificate or the replicated generated certificate.

If utilizing the non-airgaped Replicated solution there is limited communication between Replicated daemon and replicated.com servers. Only the Replicated installable software communicates to Replicated’s servers. All data is transmitted over SSL/TLS and encrypted end to end. These communications are enabled by your IT person in accordance with your firewall/proxy settings.

User passwords for the Replicated vendor portal are secured with bcrypt. User passwords are never stored in plaintext and never visible to Replicated’s staff.

Development processes

The major components of our developer infrastructure are only accessible from through our VPN.

Where available we mandate that all Replicated employees utilize 2FA for services that are not behind our VPN.

All production systems run on secured, hardened and patched OSes.

In our build process we utilize static code analysis to detect for vulnerabilities we run the following services against every build and do not promote unless we get a clean bill of health.

Server security

Our systems are hosted in ISO 27001 and FISMA certified data centers managed by Amazon Web Services. The servers are controlled by Amazon’s strict security measures including onsite security staff, video surveillance, and two factor authentication for physical access. These measures are verified by third-party auditors.

Reporting a security concern

Input and feedback on our security as well as responsible disclosure is always appreciated. Replicated maintains a bug bounty program through HackerOne. For an invitation to submit reports for a bounty please email security@replicated.com. We will provide bounties for relevant issues in accordance with the terms of our bug bounty program.

Please act in good faith towards our users' privacy and data during this process. White hat researchers are always appreciated and we won't take legal action against those offering security reports in good faith.

Reports from current and potential customers of any concerns are appreciated as well.