Security

Report a security issue #

If you have identified a security issue in the runZero platform or related infrastructure (including assets under the rumble.run domain), please get in touch by email via security@runzero.com. To encrypt the contents of your message, please use PGP Key ID 60EBAAE9AEF08C6D.

SOC 2 Type II certification #

runZero achieved SOC 2 compliance with the completion of a Type 2 audit. This rigorous, independent assessment of its internal security controls validates its dedication and adherence to the highest standards for security. If you would like to request a copy of our latest report, or copies of any of our other security documentation, please visit the runZero Trust Center.

TLS encryption #

runZero encrypts all data in-transit between the runZero Explorer and the cloud infrastructure using TLS v1.2 or later. You can find the SSL Labs report cards for critical services below:

Legacy domain names:

Binary verification #

runZero uses an Extended Validation Authenticode certificate associated with Rumble, Inc (our previous name) to sign all Windows executables. All runZero executables also contain an embedded ED25519 signature, which can be verified with the runZero Verifier.

Multi-factor authentication #

runZero supports multi-factor authentication (MFA) for the runZero Console through FIDO2-compatible (WebAuthn) security tokens, such as the Yubico YubiKey and the Google Titan key. This support extends to Windows Hello and mobile platform mechanisms such as fingerprint and face unlock.

Single sign-on #

runZero supports single sign-on (SSO) via SAML/2.0 and has been tested with Okta, Auth0, GSuite, Office365, and Shibboleth. SSO is available to all customers at no additional cost.

Data location & encryption #

runZero uses AWS (us-east-2) for all infrastructure. All storage is encrypted at rest using AWS-managed keys. User credentials are hashed using bcrypt and encrypted using AES-256 in GCM mode with an encryption key stored separately from the database.

Application security #

runZero has been developed with security best practices in mind. For additional details about the platform architecture and to see the executive summary of our last penetration test, please contact us by email at security@runzero.com.

Disclosure policy #

For vulnerabilities identified by runZero, please see our vulnerability disclosure policy.

Anything else? #

Reach our security team by email at security@runzero.com. If you are looking for additional documentation or copies of our current certifications or security assessments, please visit the runZero Trust Center.


© Copyright 2024 runZero, Inc. All Rights Reserved