I understand how important security is to you and your organization. On this page, we have highlighted some of the security measures we use to protect your organization. We’re always looking for ways to improve. Have a suggestion? Don’t hesitate to reach out to me directly. - Lyal Avery, founder of PullRequest
If you have found a vulnerability within our codebase, please contact us at email@example.com
If you discover a vulnerability, we ask that you respect our customer’s data and act accordingly:
PullRequest offers both a hosted platform solution (SaaS) and an on-premise solution to be installed behind a corporate firewall. These installation types have different security concerns and issues, particularly with regards to access from our personnel. However, in both cases, we consider security as our primary concern.
For more information about Amazon’s security measures, see https://aws.amazon.com/security/.
All access to the application and review servers utilize HTTPS encrypted connections. Source code is transmitted over SSH connections secured with SSH keys and not passwords. SSH keys are added to repositories via APIs or manually during the setup process.
Passwords are stored using the bcrypt standard. They are never stored in plaintext. Password security is extremely important and is the end-user’s responsibility. We highly recommend enabling two-factor authentication for our customers. Two-factor authentication is a requirement for our reviewers at all times.
We do not collect passwords for other services, such as GitHub or Bitbucket. We only integrate with services that utilize OAUth or API tokens.
Like GitHub and other services that deal with repository storage, we do not encrypt repositories on the file system. Doing so would result in unacceptably slow responses times, and would not offer additional security, as any agent that penetrated our network security and got file system access would have access to the encrypting/unencrypting system. As such, we have chosen to focus on network and machine level security instead.
Repository data is stored on our server until the account is deleted by a user or during routine cleaning of dormant accounts. You can delete your account or repositories at any time within our file system. While we don’t delete data within our backup system as a regular course of business, we do not backup repository data (as it can be recreated from source control at any time).
No PullRequest staff will access your repositories or their contents without expressed permission, except where required for support, suspected abuse, or critical stoppages. If required for support, we will get permission before providing access.
Reviewers will have access to the code you are having reviewed, and depending on your security settings level, related code to the items of change. All reviewers have signed NDA and proprietary innovation agreements. Per their contract, they only work within the PullRequest environment and they do not make copies of the code they review.
pullrequest.yaml is a file to be placed in the root of your repository. It allows you to anonymize lines or prevent whole files from being reviewed. If you are storing certificates or passwords within your repository (we recommend you don’t!) you can prevent them from being distributed here.
We’re using Braintree and Stripe as our payment providers. Both are PCI Level 1 compliant (the strictest of standards). We do not store credit card or PII data within our database.
Please reach out if you have questions or concerns. We’re passionate about what we do! firstname.lastname@example.org