New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Independent Security Audit #220
Comments
@jvoorhis We are actually reaching out to begin this process now. |
Glad to hear that. Do you intend to share the results publicly? |
@jvoorhis Legally we're not allowed to share the actual results document (when it is done), but we can privately refer you to the agency who did the audit. They require an NDA to view any results since it contains sensitive testing techniques that could be considered trade secrets. We can, however, say who the agency was that we did the audit with and put that on the website, to some extent. We're still doing some legal back and forth and I don't want to jeopardize that, so the above is what we know so far, but it can change. |
Thank you for your transparency. It seems like this is moving in a good direction, I'm looking forward to watching Vault take shape. |
I just wanted to chime in and say that, this would certainly help, since i am in the process on implementing vault+consul on a PCI environment, having some documentation on the certification ( such as an AOC ) would go a long way in proving things to the auditors. |
I don't think that an AOC could be issued here. The full deployment and completed ROC is required. I do think that a PA-DSS certification would apply in this situation. Having that would be helpful. |
Do you guys have any further details on this one? It would be of interest to me as well. |
We've signed everything with iSEC and will be starting the audit in late July. Any further details would require that you are also under NDA with iSEC. Please reach out to us at "hello@hashicorp.com", and we can work with you if this is something you are interested in. |
Thank you Armon, I'll ping you offline. |
Hi all, The security audit is complete. Due to NDAs and other legal requirements, we cannot publish the results. However, if you are interested in the results, we might be able to get you under the NDA if you email support@hashicorp.com. Thanks! |
As Vault's API becomes more mature and stable, it will be worthwhile to conduct a security audit by an outside entity.
The text was updated successfully, but these errors were encountered: