Security at Stratusec
We build security software. Our own security practices must be exemplary.
Encryption Everywhere
All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Database connections use encrypted channels. Secrets are managed via environment variables — never hardcoded.
Authentication & Authorization
All API endpoints require authentication. Enterprise supports SSO (SAML/OIDC), RBAC with fine-grained permissions, and multi-tenant isolation. Sessions use JWT with short expiry and refresh rotation.
Audit Logging
Every significant action is logged with user identity, timestamp, resource affected, and outcome. Audit logs are immutable and retained for compliance. Remediation actions include full rollback trails.
Infrastructure Security
Docker containers run as non-root users with read-only filesystems. Database ports are bound to localhost only. Redis requires authentication. Network policies restrict inter-service communication.
Code Security
Automated security scanning in CI/CD (dependency audit, container scanning, SAST). Regular penetration testing and code reviews. All dependencies pinned and monitored for CVEs.
Vulnerability Disclosure
We welcome responsible security research. If you discover a vulnerability, please report it to security@stratusec.ai. We commit to acknowledging reports within 24 hours and providing fixes for critical issues within 72 hours.
Open Source Transparency
Stratusec's core is open source under Apache 2.0. Every line of code that touches your cloud infrastructure is publicly auditable. We believe security tools should be transparent — if software audits your infrastructure, you should be able to read every line of code it runs.
Report a Vulnerability
Found a security issue? We take all reports seriously and appreciate the security community's help in keeping Stratusec safe.
- Email: security@stratusec.ai
- Response time: Acknowledgment within 24 hours
- Critical fixes: Within 72 hours
- Scope: All Stratusec repositories and stratusec.ai