All our repository operations and analysis runs are executed in a secure sandbox. Each sandbox is restricted to access data only within its scope, and it is not possible to access a sandbox from another sandbox, or from the Internet. Each analysis run starts in a fresh sandbox, and each sandbox is destroyed after each run, preventing leaking any user-specific information or source code from inside the runtime to other sandboxes or a public network.
SOURCE CODE SECURITYWe use OAuth tokens as our authentication mechanism to access source code from the supported source code hosting providers. When you start using DeepSource, you have to explicitly grant permissions in the respective source code hosting provider that you are authorizing us to check out your public and private repositories. To analyze the source code, we check out your code from supported source code hosting providers.
DeepSource does not store your source code. As soon as the analysis transaction is complete, the source code is purged within our infrastructure and are not backed up.
Security at DeepSource
We follow a comprehensive set of practices and policies to make sure our systems, thus our users' data, is secure.
3,000+ companies trust DeepSource to ship clean and secure code
Sandboxed analysis environments
All our repository operations and analysis runs are executed in a secure sandbox. Each sandbox is restricted to access data only within its scope.
SOURCE CODE SECURITY
We use OAuth tokens as our authentication mechanism to access source code from the supported source code hosting providers.
Sandboxed analysis environments
Data center security
DeepSource’s infrastructure runs on data centers provided by Google Cloud Platform which follows stringent security practices.
DATA LOSS PREVENTION
All data we process and store are backed up frequently to multiple regions.
SAFE COMMUNICATION
All data exchanged with DeepSource is transmitted over TLS.
Data center security
DeepSource’s infrastructure runs on data centers provided by Google Cloud Platform which follows stringent security practices. Refer to Google Cloud Platform’s compliance and security documentation for detailed information. We follow a variety of safeguards to isolate and encrypt customer data. We employ various layers of access control with mandatory TOTP/U2F based authentications to all employees of DeepSource. Our software infrastructure is audited regularly and updated with the latest security patches.
DATA LOSS PREVENTIONAll data we process and store are backed up frequently to multiple regions. Two identical copies are always ready and waiting for an immediate hot-swap in case of any failure of our underlying services. DeepSource encryption uses 256-bit AES keys to protect backups at rest, and encrypts data in motion with 128-bit AES SSL/TLS encryption.
SAFE COMMUNICATIONAll data exchanged with DeepSource is transmitted over TLS. All repository operations of private data is done over HTTPS authenticated with short lived authentication tokens.
Compliance
We have your data security needs covered.
DeepSource is SOC 2 Type II compliant. SOC 2 ensures that we follow strict information security policies and procedures encompassing the security, availability, processing, integrity, and confidentiality of user data.
DeepSource is compliant with the General Data Protection Regulation (GDPR). To learn more about how we collect, keep, and process your private information in compliance with GDPR, please view our privacy policy.
Responsible disclosure
Data security is a top priority for DeepSource, and we believe that working with skilled security researchers can identify weaknesses in any technology.
EXCLUSIONS
DeepSource is always open to feedback, questions, and suggestions. If you would like to talk with us, please email at security@deepsource.io.
Responsible disclosure
Introduction
DeepSource takes the security of its systems and its data very seriously. We continuously strive to maintain and ensure that our environment is safe and secure for everyone to use. We understand the effort that goes into security research. To show our appreciation to researchers, who help keep our products and our customer's data safe, we are glad to introduce a Responsible Disclosure Program to provide recognition and rewards for responsibly disclosed vulnerabilities.
If a researcher follows the rules set out in this Responsible Disclosure Policy when reporting a security vulnerability to us, we commit to the following:
- Acknowledge receipt of the vulnerability report and work with the security researcher to quickly understand and resolve the issue.
- Validate, respond, and fix such vulnerabilities in accordance with our security and privacy commitments. We will notify you when the issue is resolved.
- Pay a bug bounty in accordance with our bounty rates mentioned under "Recognition and Compensation."
Response Time
DeepSource will make its best effort to meet the following response targets for security researchers participating in our program:
- Time to first response (from report submission) - At most two business days.
- Time to triage (from report submission) - Less than ten business days from the first response.
- Time to bounty (from triage) - At most 10 business days.
Bug Bounty Program rules
- A Researcher can test only against an account if they are an account owner or agent authorized by the account owner to conduct such testing.
- If you accidentally access any of our customer data or any other sensitive data, please stop testing and submit the vulnerability.
- Stop testing and report the issue immediately to security@deepsource.io if you gain access to any non-public application or non-public credentials.
- Do not degrade the user experience, disrupt production systems, or destroy data during security testing. The following test types are expressly excluded from scope and testing: any findings from physical testing (office access, tailgating, open doors) or DoS or DDoS attack. A responsible disclosure also does not include identifying spelling mistakes or UI and UX bugs.
- Do not use scanners or automated tools to find vulnerabilities (we may automatically suspend your account and ban your IP address).
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the vulnerability report will not be eligible for a reward. Submit any necessary screenshots, screen captures, and network requests if required.
- Partial disclosures are not accepted (e.g., submitting an HTML Injection issue and later another submission as XSS by chaining the HTML Injection).
- Social engineering (e.g., phishing, vishing, smishing) is prohibited.
- As a researcher, you need to honor the response time period defined above. We will ensure that we get back to you within the defined response time. Only in case, if we exceed the response time, please feel free to reach out to us for any updates. Not honoring the same may lead to the blacklisting of the user itself.
Reward Eligibility
Current employees or contractors helping DeepSource with development or managing any part of DeepSource are not eligible to participate in the program. Former employees are eligible to participate in the program only, if
- They left DeepSource more than one year before the submission.
- They are not using or referring to any non-public DeepSource information obtained when they were employees or contractors.
Bounty Payout rules
Rewards will be provided according to the rules of this bug bounty program as outlined above. At the discretion of DeepSource, quality, creativity, or novelty of submissions may modify payouts within the given range.
- In case of multiple reports about the same issue, DeepSource will reward the earliest submission, regardless of how the issue was reported.
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- The vulnerability is confirmed to be a valid security issue.
- Keep information about any vulnerabilities you’ve discovered confidential between yourself and DeepSource. DeepSource will take a reasonable time to remedy such vulnerability (at least two weeks at a minimum, but this depends on the nature of the security vulnerability and regulatory compliance by DeepSource). The Researcher shall not publicly disclose the bug or vulnerability on any online or physical platform before it is fixed and prior written permission from DeepSource is obtained.
Assets In Scope of our Bug Bounty Program
- deepsource.com
Vulnerabilities Out of Scope of our Bug Bounty Program
The following issues are considered out of scope:
- Missing best practices in SSL/TLS configuration, networking issues, or industry standards.
- Any activity that could lead to the disruption of our service (DoS), Resource Exhaustion attacks.
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
- Presence of autocomplete attribute on web forms.
- Username / Email Enumeration
- via Login Page error messages.
- via Forgot Password error messages.
- via Registrations.
- Clickjacking on pages with no sensitive actions.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
- Self-XSS and issues exploitable only through Self-XSS.
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Vulnerabilities only affecting users of outdated or unpatched browsers (Less than two stable versions behind the latest released stable version)
- Software version disclosure / Banner identification issues/ headers (e.g. application or server errors, HTTP 404 codes/pages, or other HTTP non-200 codes/pages).
- Public Zero-day/CVE vulnerabilities that have had an official patch for less than one month will be awarded case-by-case.
- Tab-nabbing.
- Open redirect.
- Third-party hosted services.
- SPF DKIM or DMARC-related security issues.
- Social Engineering.
- For example, attempts to steal cookies and fake login pages to collect credentials.
- Phishing.
- Vulnerability reports relating to sites or network devices not owned by DeepSource.
Vulnerability report submission format
- Report Title
- Vulnerable/Affected Assets
- OWASP Category 2017/2021 | CVE
- CVSS 3.1 Score
- Severity
- Technical Description
- Steps to Reproduce
- PoC - Screenshots/Videos
- Business Impact
- Solution/Mitigation
- Recommendation if Any
Recognition and Compensation
Monetary compensation for bugs ranges depending on severity calculated with CVSS 3.1 calculator. The final decision on the severity of a bug remains with DeepSource. All bounties will be processed using Paypal.
To know more about CVSS, refer https://www.first.org/cvss/
Consequences of complying with this policy
We will not pursue civil action or initiate a complaint to law enforcement for accidental, good-faith violations of this policy. We consider activities consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.
If a third party initiates legal action against you and you have complied with DeepSource’s VDP, DeepSource will take steps to make it known that your actions were conducted in compliance with this policy.
Public disclosure policy
By default, this program is in “PUBLIC NONDISCLOSURE” mode, which means:
This program does not allow PUBLIC DISCLOSURE. One should not release the information about the vulnerabilities found in this program to the public, failing which shall be liable for legal penalties. We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.
Thank you for helping keep DeepSource and our customers safe!
Reporting a vulnerability
If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at security@deepsource.io. We will acknowledge your email within 1 business day. If you would like to encrypt sensitive information, here’s our PGP key.
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBF6f3h4BCADBnB37GPRp1K1H25b40LwrT2GVpFEDhoOfAHfh7oiQxezgfgHi
HjwZUZqX/5wbebh65ogASrQAZEnYnd0YHSebh5EJUwWmza6b8nrXeBL0PkTBeVV3
u3OmfBnNHr4tZskJ3QYfxWWzzrpOTLXrMnfO3m3XCItAmURetUtyJ7TAOLoI9mLR
ol8ubs/Oh1AxOJVMSQHB2yAwx3ZZfUUrBCilwcM0xLBKW8R69QYKYsl+rDbgFUW3
F8T8OzQ8HAKUoKZwffuGee300DMno3Zrl+0EEubo8niKhOB1n/2DQehdri/diqBS
XlCP+UFrrButyT7aioI5L7pCiY3s55GfJYidABEBAAG0LERlZXBTb3VyY2Ugc2Vj
dXJpdHkgPHNlY3VyaXR5QGRlZXBzb3VyY2UuaW8+iQFUBBMBCAA+FiEE0wBiyy7M
wXXuWYtgHe1+o+NcMv0FAl6f3h4CGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAw
ECHgECF4AACgkQHe1+o+NcMv0XMQf8C8W6qQqKB9NxM/6p4p01+EiUVDm5MXwE
AEGXrXXFBtvEorXHt64DHSJl1cdPaf62+oAmkoFbNBRYW9eDUNdjocdlOiE/2DNnEb72
Z6c0BiGtJYJFpZnKv7U+Q8gdRmPqPWr27HmEnSvNuWMFXRJSnJ3KaC6YnHpS8wtg
p70M8nNaiEguoeykNVmL+dYCYg970IgfX7PlYfXYKwU1RjoCIi9wtW2M3FlYpC3J
EVZoyPr107VIL6BX/a2c3+xRP8GK5Fqvh9eMI6afmegpXMJUQmj+AlnRNShB0e4z
Zp3GbEpd6ZuHapmcWjcApzyH17idK/38EkuZeXE0aRLLmMiL7bkBDQRen94eAQgA
3u19dgN4IBMqBwKV+VBQ5aP0mgIH+gFznQz0WAG9z5On43vnIOLAT356YUlJgkt7
N8LxjCfaZzW8Zab+aejiefvEF/VHHjzQ9n87CHBoGVWjXLINeK6cv8BF6zK1gHgE
R8rA9ewrU9kg7KUciHx0mfWPxN7ZuWCwvIxwQDQNSeEc7IzNE1Fttz4JS+EpKse6
GawM2MzfAGNth198kfA/tJmRFXCebgC0dLwfhW9rWPln1R4gL7sdU0f1ilSywHCk
zkZm7Wyi8z5tbK7JUaiu8CAFIwO3aqqzx6Cd27blEvkGYpYsvSl7wGauJjGpPx0S
HcFD6BPjoY9GJaYv/FkdHwARAQABiQE8BBgBCAAmFiEE0wBiyy7MwXXuWYtgHe1+
o+NcMv0FAl6f3h4CGwwFCQPCZwAACgkQHe1+o+NcMv3Magf/fYMuQ1Gn0PYUquK5
pXlYgmbDcjjFEAXsKNznBfNlUOjZuwm8HD55plKbNJhDLxyIScvCWry9pp0IE699
u0hCdyAYO4PwyOJPa2uk4UgseoOHRgB1LTmE/3o+6Oorn9dhE60YUhKQjxNnHhJr
ze+VAjPtKZ+LNYv/PPTT3Kj6X2ZueiNoYXkZ7anHwdNOiVo/sU50F85OKvxZ8W6u
m9cgkmaMf3svrL6uizI4XAHwOzkyzLMlODh/hvu9GzLY/IMRz08dYBKDHNKlOE0T
OLUBdQ4fJ8q5G4lQxP/ZUd6s4jxJcPttAEh+jtFiAgeywb4A/VJpiGAE3oQdoSaS
QeeXEw==
=suf2
-----END PGP PUBLIC KEY BLOCK-----
Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within one week of disclosure. Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the DeepSource service. Please only interact with accounts you own or for which you have explicit permission from the account holder.
EXCLUSIONS
While researching, we’d like you to refrain from Distributed Denial of Service (DDoS), spamming, social engineering or phishing of DeepSource employees or contractors, or any attacks against DeepSource’s physical property or data centers. Thank you for helping to keep DeepSource and our users safe!
DeepSource is always open to feedback, questions, and suggestions. If you would like to talk with us, please email at security@deepsource.io.
Shift left, enterprise-grade.
Start building with the most sophisticated static analysis platform for your workflow and prevent bugs before they end up in production.
Deploy on-premise to have absolute control of your data
Onboard thousands of repositories in minutes, not months
Save over 4 hours on average per developer every week
