Security at Cloudsmith

Security is paramount and we are actively engaged in continuous security and always improving the security of our processes and services. If you need more information than provided here, please contact us.

Cloudsmith has been independently audited and verified against ASVS 4.0, Level 2. To accomplish this, we built-in security measures at each stage of architecting the Cloudsmith cloud-native platform and make use of best-in-class security tools and practices to maintain a high level of security focus.

Encryption of sensitive data and communication

All data is encrypted in transit, through all layers of our application and processing. Typically this is TLS1.2+ but supporting TLS1.1 for compatibility.

All data is encrypted at rest. This is a combination of AES-256 and AWS-based KMS for packages, and Fernet based (plus others) for "sensitive data" in relational data.

Encryption keys are either HSM (Hardware Security Module), KMS (Key Management Service) or via environment (symmetric with rotations) depending on what's been accessed. Rotation is handled internally.

Vulnerability disclosure and Bug Bounty program

Security issues are considered a higher priority than all other issues and the team will investigate and respond to any reported vulnerability in scope. We request that you do not publicly disclose the issue until it has been identified and resolved by Cloudsmith.

We understand the hard work and knowledge required to identify viable security issues. To show our appreciation we offer a reward program for responsibly disclosed vulnerabilities in scope.

Details of our active, open-ended bug bounty program:
https://help.cloudsmith.io/docs/bug-bounty-programme

You can see some of the exploit categories identified and fixed here:
https://help.cloudsmith.io/docs/exploits-hall-of-fame

Security Certifications

200200

Cloudsmith is certified under the Information Security Management Systems standard ISO27001:2013, also known as ISO27001.

ISO27001 certification details the requirements for implementing an Information Security Management System (ISMS) within organizations, with the ultimate aim to ensure that the information assets they possess are more secure. Designed to cover much more than just IT, it is a complete end-to-end framework of policies and procedures that includes people, processes, and controls at all levels of the business.

ISO27001 certification demonstrates Cloudsmith's commitment to security and privacy. The ISO27001 cert can be downloaded here. For any information about our ISO27001 certification contact us at [email protected].


Did this page help you?