If you have identified a security issue in the runZero platform or related infrastructure (including assets under the rumble.run domain), please get in touch by email via security@runzero.com. To encrypt the contents of your message, please use PGP Key ID 60EBAAE9AEF08C6D.
runZero encrypts all data in-transit between the runZero Explorer and the cloud infrastructure using TLS v1.2 or later. You can find the SSL Labs report cards for critical services below:
Legacy domain names:
runZero uses an Extended Validation Authenticode certificate associated with Rumble, Inc (our previous name) to sign all Windows executables. All runZero executables also contain an embedded ED25519 signature, which can be verified with the runZero Verifier.
runZero supports multi-factor authentication (MFA) for the runZero Console through FIDO2-compatible (WebAuthn) security tokens, such as the Yubico YubiKey and the Google Titan key. This support extends to Windows Hello and mobile platform mechanisms such as fingerprint and face unlock.
runZero supports Single Sign On (SSO) via SAML/2.0 and has been tested with Okta, Auth0, GSuite, Office365, and Shibboleth. SSO is available to all customers at no additional cost.
runZero uses AWS (us-east-2) for all infrastructure. All storage is encrypted at rest using AWS-managed keys. User credentials are hashed using bcrypt and encrypted using AES-256 in GCM mode with an encryption key stored separately from the database.
runZero has been developed with security best practices in mind. For additional details about the platform architecture and to see the executive summary of our last penetration test, please contact us by email at security@runzero.com.
For vulnerabilities identified by runZero, please see our vulnerability disclosure policy.