Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Independent Security Audit #220

Closed
jvoorhis opened this issue May 18, 2015 · 10 comments
Closed

Independent Security Audit #220

jvoorhis opened this issue May 18, 2015 · 10 comments

Comments

@jvoorhis
Copy link
Contributor

As Vault's API becomes more mature and stable, it will be worthwhile to conduct a security audit by an outside entity.
@armon
Copy link
Member

armon commented May 19, 2015

@jvoorhis We are actually reaching out to begin this process now.

@jvoorhis
Copy link
Contributor Author

Glad to hear that. Do you intend to share the results publicly?

@mitchellh
Copy link
Contributor

@jvoorhis Legally we're not allowed to share the actual results document (when it is done), but we can privately refer you to the agency who did the audit. They require an NDA to view any results since it contains sensitive testing techniques that could be considered trade secrets. We can, however, say who the agency was that we did the audit with and put that on the website, to some extent. We're still doing some legal back and forth and I don't want to jeopardize that, so the above is what we know so far, but it can change.

@jvoorhis
Copy link
Contributor Author

Thank you for your transparency. It seems like this is moving in a good direction, I'm looking forward to watching Vault take shape.

@rmenn
Copy link

rmenn commented May 26, 2015

I just wanted to chime in and say that, this would certainly help, since i am in the process on implementing vault+consul on a PCI environment, having some documentation on the certification ( such as an AOC ) would go a long way in proving things to the auditors.

@abedra
Copy link
Contributor

abedra commented May 26, 2015

I don't think that an AOC could be issued here. The full deployment and completed ROC is required. I do think that a PA-DSS certification would apply in this situation. Having that would be helpful.

@adrianbn
Copy link

Do you guys have any further details on this one? It would be of interest to me as well.

@armon
Copy link
Member

armon commented Jun 11, 2015

We've signed everything with iSEC and will be starting the audit in late July. Any further details would require that you are also under NDA with iSEC. Please reach out to us at "hello@hashicorp.com", and we can work with you if this is something you are interested in.

@adrianbn
Copy link

Thank you Armon, I'll ping you offline.

@sethvargo
Copy link
Contributor

Hi all,

The security audit is complete. Due to NDAs and other legal requirements, we cannot publish the results. However, if you are interested in the results, we might be able to get you under the NDA if you email support@hashicorp.com. Thanks!

@hashicorp hashicorp locked and limited conversation to collaborators Aug 7, 2015
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@mitchellh @abedra @jvoorhis @sethvargo @armon @rmenn @adrianbn