Cloudsmith has been independently audited and verified against ASVS 4.0, Level 2. To accomplish this, we built-in security measures at each stage of architecting the Cloudsmith cloud-native platform and make use of best-in-class security tools and practices to maintain a high level of security focus.
All data is encrypted in transit, through all layers of our application and processing. Typically this is TLS1.2+ but supporting TLS1.1 for compatibility.
Encryption keys are either HSM (Hardware Security Module), KMS (Key Management Service) or via environment (symmetric with rotations) depending on what's been accessed. Rotation is handled internally.
Security issues are considered a higher priority than all other issues and the team will investigate and respond to any reported vulnerability in scope. We request that you do not publicly disclose the issue until it has been identified and resolved by Cloudsmith.
We understand the hard work and knowledge required to identify viable security issues. To show our appreciation we offer a reward program for responsibly disclosed vulnerabilities in scope.
Details of our active, open-ended bug bounty program:
You can see some of the exploit categories identified and fixed here:
Cloudsmith is certified under the Information Security Management Systems standard ISO27001:2013, also known as ISO27001.
ISO27001 certification details the requirements for implementing an Information Security Management System (ISMS) within organizations, with the ultimate aim to ensure that the information assets they possess are more secure. Designed to cover much more than just IT, it is a complete end-to-end framework of policies and procedures that includes people, processes, and controls at all levels of the business.
ISO27001 certification demonstrates Cloudsmith's commitment to security and privacy. The ISO27001 cert can be downloaded here. For any information about our ISO27001 certification contact us at [email protected].
Updated 7 months ago