The Cloudsmith Developer Hub

Welcome to the Cloudsmith Developer Hub. You'll find comprehensive guides and documentation to help you start working with Cloudsmith as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Security at Cloudsmith

Security is paramount and we are actively engaged in continuous security and always improving the security of our processes and services. If you need more information than provided here, please contact us.

Cloudsmith has been independently audited and verified against ASVS 4.0, Level 2. To accomplish this, we built-in security measures at each stage of architecting the Cloudsmith cloud-native platform and make use of best-in-class security tools and practices to maintain a high level of security focus.

Encryption of sensitive data and communication

All data is encrypted in transit, through all layers of our application and processing. Typically this is TLS1.2+ but supporting TLS1.1 for compatibility.

All data is encrypted at rest. This is a combination of AES-256 and AWS-based KMS for packages, and Fernet based (plus others) for "sensitive data" in relational data.

Encryption keys are either HSM (Hardware Security Module), KMS (Key Management Service) or via environment (symmetric with rotations) depending on what's been accessed. Rotation is handled internally.

Vulnerability disclosure and Bug Bounty program

Security issues are considered a higher priority than all other issues and the team will investigate and respond to any reported vulnerability in scope. We request that you do not publicly disclose the issue until it has been identified and resolved by Cloudsmith.

We understand the hard work and knowledge required to identify viable security issues. To show our appreciation we offer a reward program for responsibly disclosed vulnerabilities in scope.

Details of our active, open-ended bug bounty program:
https://help.cloudsmith.io/docs/bug-bounty-programme

You can see some of the exploit categories identified and fixed here:
https://help.cloudsmith.io/docs/exploits-hall-of-fame

Security Certifications

We're in the process of certifying for ISO27001:2013 and once achieved, we will follow with SOC2.

Updated 4 months ago


Security at Cloudsmith


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.