This document is intended to help our customers' security, risk, compliance, or developer teams evaluate what we do with our customers' code and data.
Because Agile Season is open source, in this document we refer to portions of the application code and its dependent libraries, frameworks, and programming languages.
For security inquiries or vulnerability reports, please email firstname.lastname@example.org.
Agile Season is a small team within agileseason is responsible for Agile Season. We can't afford to hire a third party security company to audit Agile Season, but the codebase is open source. We believe that transparency and this document can help keep Agile Season as secure as possible.
What happens when you authenticate your GitHub account
Using OAuth2 means we do not access your GitHub password and that you can revoke our access at any time.
Your GitHub token is needed in order to fetch issue content, comments and repo information. This token doesn't stored in our Postgres database.
To browse the portions of the codebase related to authentication,
greping for the following terms:
grep -R omniauth app grep -R github_token app
What happens when Agile Season refreshes your GitHub repositories
As part of this process, we temporarily store your encrypted GitHub token in the Redis database when enqueueing a Sidekiq workers.
grep -R encrypted_github_token app
All agileseason employees have access to change Agile Season's source code (the repo you're reading right now, which is open source) and to push it to GitHub.
All agileseason employees have access to Agile Season's staging and production Linode applications and databases. They can deploy new code, or read and write to the databases.
What you can do to make your Agile Season use safer
Use environment variables in your code to separate code from configuration.
We can't afford to hire a third party security company to audit Agile Season, but the codebase is open source. We believe that transparency and this document can help keep Agile Season as secure as possible.