Cloudsmith has been independently audited and verified against ASVS 4.0, Level 2. To accomplish this, we built-in security measures at each stage of architecting the Cloudsmith cloud-native platform and make use of best-in-class security tools and practices to maintain a high level of security focus.
All data is encrypted in transit, through all layers of our application and processing. Typically this is TLS1.2+ but supporting TLS1.1 for compatibility.
Encryption keys are either HSM (Hardware Security Module), KMS (Key Management Service) or via environment (symmetric with rotations) depending on what's been accessed. Rotation is handled internally.
Security issues are considered a higher priority than all other issues and the team will investigate and respond to any reported vulnerability in scope. We request that you do not publicly disclose the issue until it has been identified and resolved by Cloudsmith.
We understand the hard work and knowledge required to identify viable security issues. To show our appreciation we offer a reward program for responsibly disclosed vulnerabilities in scope.
Details of our active, open-ended bug bounty program:
You can see some of the exploit categories identified and fixed here:
We're in the process of certifying for ISO27001:2013 and once achieved, we will follow with SOC2.
Updated about a year ago