Security Principles & Practices
Transparency, accountability, and relentless protection for your code, data, and infrastructure. We treat security as a foundational requirement, not an afterthought.
Last reviewed: 2025-09-15 | Version 3.2.1
Core Security Principles
Our architecture and operational practices are guided by industry-standard security frameworks. Every feature, pipeline, and deployment adheres to these foundational rules.
Zero Trust Architecture
Never trust, always verify. All access requests are authenticated, authorized, and encrypted, regardless of origin or network location.
Privacy by Design
Data minimization, purpose limitation, and strict retention policies are embedded into every system component from day one.
Defense in Depth
Multiple layered security controls across network, host, application, and data levels ensure no single point of failure compromises security.
Least Privilege Access
Users, services, and CI/CD runners receive only the minimum permissions required to perform their intended functions.
Continuous Verification
Automated security scanning, dependency auditing, and runtime monitoring operate 24/7 across all environments.
Transparent Operations
Public status reporting, documented incident post-mortems, and open security disclosures keep our community informed.
Compliance & Certifications
We maintain rigorous compliance postures to meet enterprise, regulatory, and industry standards. Third-party audits are conducted annually by independent assessors.
| Standard / Framework | Status | Last Audit | Scope |
|---|---|---|---|
| SOC 2 Type II | Certified | 2025-03-12 | Security, Availability, Confidentiality |
| ISO 27001:2022 | Certified | 2025-06-28 | Information Security Management |
| GDPR | Compliant | Ongoing | EU Data Residency & Processing |
| CCPA / CPRA | Compliant | Ongoing | California Consumer Privacy |
| ISO 27017 / 27018 | In Progress | Q4 2025 | Cloud Privacy & Controls |
Auditor reports and compliance documentation are available to enterprise customers upon request. Contact our compliance team for access.
Infrastructure & Data Protection
Our platform runs on hardened, isolated infrastructure with strict controls over data lifecycle, key management, and network boundaries.
-
🔐
Encryption Standards Data at rest: AES-256-GCM with tenant-isolated keys. Data in transit: TLS 1.3 with HSTS and certificate pinning for APIs.
-
🔑
Key Management HSM-backed cryptographic key management. Rotation every 90 days. Customer-managed encryption keys (CMEK) available for Enterprise.
-
🌐
Network Security Private subnets, strict egress filtering, WAF, DDoS mitigation, and microsegmentation between compute, storage, and CI/CD runners.
-
👥
Access Control RBAC with mandatory MFA for all administrative accounts. Session timeout policies, IP allowlisting, and audit logging for all privileged actions.
-
🗄️
Data Residency & Retention Region-isolated storage. Configurable data retention policies. Automatic secure deletion using cryptographic erasure standards (NIST 800-88).
Supply Chain & Dependency Security
We treat our software supply chain with the same rigor as customer data. All base images, SDKs, and dependencies are verified before release.
- SBOM (Software Bill of Materials) generated for every release using SPDX/CycloneDX formats.
- Strict dependency pinning with automated CVE scanning and automated patching workflows.
- Immutable release artifacts with cryptographic signatures verified by GPG and transparency logs.
- Third-party component vetting aligned with SLSA Level 3 guidelines.
- Private registries and isolated build environments prevent dependency injection attacks.
Incident Response & Transparency
Security incidents are inevitable; how we respond defines trust. Our IR process follows NIST SP 800-61 and SANS frameworks.
Detection & Triage
Automated monitoring, anomaly detection, and manual review trigger severity classification within 15 minutes of alert.
Containment & Eradication
Isolated affected systems, credential rotation, and forensic preservation. Customer impact is prioritized above all.
Communication
Real-time updates via status.git.dev and direct customer notifications. No delayed disclosures or ambiguous language.
Post-Incident Review
Public post-mortem published within 14 days. Root cause analysis, timeline, and implemented mitigations are documented openly.
Historical incident reports and security bulletins are archived at security.git.dev/advisories.
Report a Vulnerability
If you believe you've discovered a security issue in .git products, APIs, or infrastructure, please report it responsibly. We welcome coordinated disclosure and offer bug bounty rewards for valid findings.
Secure Contact Information
- Email:
security@git.dev - PGP Key ID:
0xF7A3 B912 E4C8 9D05(Download) - Response Time: Initial acknowledgment within 24 hours. Status updates every 72 hours during investigation.
- Bug Bounty: Active program via HackerOne. Rewards up to $25,000 for critical findings.
We do not pursue legal action against researchers who follow responsible disclosure guidelines. Do not exploit affected systems or access/modify data belonging to other users.