Storing and retrieving a companies source code, configuration, and binary artifacts is a large responsibility. Unauthorised disclosure of these artifacts can leak company secrets and intellectual property. Unauthorised modification of files in an artifact repository can lead to development and production machines running malicious code. Accordingly, Deps takes security extremely seriously.
Keeping your data secure and private is of the utmost importance, and so we are careful to follow industry best practices. A lot goes into online security, but here are some of the main things we do that might interest you:
- Our servers and data are hosted by Google Cloud Platform (GCP), Amazon Web Services (AWS) and Heroku. Google Cloud Platform is one of the largest and most sophisticated hosting companies in the world. Heroku uses Amazon Web Services (AWS) to host their servers. AWS is the largest hosting company in the world. GCP, AWS, and Heroku all have extensive physical and digital security in place.
- We use 256-bit encryption at all levels of our software. All connections to our website are encrypted (i.e. we encrypt “in transit”), our live database is encrypted (i.e. we encrypt “at rest”), binary artifacts are encrypted, and all of our data backups are encrypted.
- We never store passwords as plain text – they are always hashed and salted securely using
pbkdf2(older passwords) and
bcrypt(newer passwords). We also do the same with all access keys.
- Our main servers are in Iowa, USA at Google’s
us-central1data center. We also have encrypted replicas of data in other GCP and AWS locations within the USA in case anything happens to the Iowa data center.
- We regularly perform external vulnerability scans and application penetration tests to monitor the status of our security efforts.
Artifact downloading and uploading uses a separate set of keys to your login username and password. This prevents a key disclosure from leading to privilege escalation. These keys can be configured to only allow downloading in contexts where no uploads should be happening, e.g. continuous integration or staging servers.
Security Vulnerability Reporting Policy
Deps values the work done by security researchers in improving the security of our products and service offerings. We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process.
If you are a security researcher and would like to report a security vulnerability, please send an email to: firstname.lastname@example.org. Please provide your name, contact information, and company name (if applicable) with each report. Priority will be granted to encrypted reports – please include your PGP public key with such reports.
Download the Deps PGP Key from Keybase.
Responsible Disclosure Guidelines
We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we commit that we will not take legal action against you or ask law enforcement to investigate you if you comply with the following Responsible Disclosure Guidelines:
- Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC)
- Make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our services
- Do not modify or access data that does not belong to you
- Give us a reasonable time to correct the issue before making any information public
- We will attempt to respond to your report within 1-2 business days.