Release is committed to maintaining the security of our systems and our customers’ information and our infrastructure. Release is secure by design and our API lets you automate security policies testing and remediation using third-party tools in your application lifecycle.
We perform frequent penetration tests, adhere to voluntary compliance standards, and continuously monitor our products and networks for any security vulnerabilities.
Release is a key part of our customers’ software development life cycle, as such we are committed to maintaining the security of our systems, people and customers’ information.
Data collection and data security: Release limits the amount of customer data collected to the minimum necessary. We process first name, last name, and email in order to provide the services, in addition to the user account from your company’s code repository.
All Application content is encrypted at rest with (AES256) and in-transit (TLS 1.2 or above). Release does not store or retain any Application data when our platform is deployed within the customers’ own cloud account.
We have operated in compliance with SOC 2 since 2021. Release recognizes the importance of adhering to a common set of compliance and certifications and earning validation from neutral industry auditors. Release platform has been audited by Johanson Group and granted SOC 2 Type 2 certification, and we maintain ongoing monitoring with Vanta. Customers can request a SOC 2 report by emailing email@example.com.
We conduct pentesting at least twice annually. We partner with an external pentesting organization to conduct rigorous testing and take immediate action on any findings. For report summary contact firstname.lastname@example.org.
Our products are secure by design and we build new functionality with security best practices at top of mind. Release API lets you automate security policies testing and remediation using third-party tools in your application lifecycle.
Repository integration: Release authenticates through OAuth tokens which can be revoked and/or re-authorized at any time. For GitHub, we use an installed GitHub App which allows customers to grant very fine-grained access to specific repositories, actions, and roles.
Applications isolation: Applications deploy as Kubernetes pods. Each Workspace operates within its own set of namespaces, so that they cannot interfere with each other. Application stages (like staging, production, qa) can also be deployed across cloud accounts and clusters to further isolate access and auditing.
Infrastructure and deployment: Release infrastructure runs on Amazon Web Service (AWS) and on Google Cloud Platform, both delivering infrastructure as a service with prime security capabilities. Their certifications are available here and here. Release can be hosted end-to-end by us (usually during the trial period), and deployed directly into customers’ own AWS or GCP account.
We appreciate and encourage security researchers to report potential vulnerabilities identified in any product, system, or asset belonging to Release, and submit their findings through our Responsible Disclosure Program.
* Please note, Release does not operate a public bug bounty program and we make no offer of reward or compensation in exchange for submitting potential issues.
Responsible Disclosure Program Guidelines
Researchers should disclose potential vulnerabilities in accordance with the following guidelines:
1. Do not engage in any activity that can potentially or actually stop or degrade Release services or assets, cause harm to Release, our customer or employees.
2. Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity
3. Do not store, share, compromise or destroy Release or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Release. This step protects any potentially vulnerable data, and you.
4. Provide Release reasonable time to fix any reported issue, before such information is shared with a third party or disclosed publicly.
By responsibly submitting your findings to Release in accordance with these guidelines Release agrees not to pursue legal action against you. Release reserves all legal rights in the event of noncompliance with these guidelines.
Out of Scope Vulnerabilities
Certain vulnerabilities are considered out of scope for our Responsible Disclosure Program and include:
- Physical Testing
- Social Engineering. For example, attempts to steal cookies, fake login pages to collect credentials
- Denial of service attacks
- Resource Exhaustion Attacks
Submission Format and Instructions
Please email your reports to email@example.com including the following:
- a detailed summary of the vulnerability,
- the target,
- steps taken,
- tools used, and
- artifacts used during discovery (screen captures welcome).
Release commits to provide prompt acknowledgement of receipt of all reports (within three business days) and will keep you reasonably informed of the status of any validated vulnerability that you report through this program