As hardcore engineers with pedigrees from finance, government and companies like Cloudera, working with sensitive data & security-conscious environments is part of our lifeblood. We pride ourselves in taking extra care when working with code access.

Application, Quality & Code Security

• Code is pulled and analyzed in ephemeral, isolated containers or virtualized environments
• Company employs engineers & contractors dedicated to Application Quality & Testing
• FOSSA engineers employ regular peer code review
• Fully encrypted one-way access of sensitive data (i.e. user passwords, access tokens, etc.)
• FOSSA never generates permanent (non-revokable) access credentials for 3rd-party services. Tokens are regularly churned upon expiration and follow the OAuth spec.

Web Security

• All application data transmitted over HTTPs
• 24/7 application monitoring and DDoS protection
• Hosted in Amazon Web Services datacenters (ISO 27001 and FISMA certified)

On-Prem Security

• On-prem is fully sealed; all data (including open source analysis, cache, etc...) is located and communicated behind the firewall.
• Native HTTPs support baked into on-prem offering
• Application is distributed with multiple layers of containerization, virtualization & sandboxing across the stack
• Successfully passed security review for Fortune 50 on-prem deployments

Physical, Operational & Information Privacy

• 2-Factor authentication required for all employees
• Office located in private facilities with 24/7 security, surveillance and access cards

Security Disclosure Policy

If you think you've found a security issue, please email us at support@fossa.io or the founder directly at kevin@fossa.io with "[SECURITY]" in the title. DO NOT attempt to publically disclose or report the vulnerability.