Security at Upbound

At Upbound, we are keenly aware of the significant trust our users have in both our company and the products we develop for the management of crucial infrastructure and services. Safeguarding customer data, protecting our products, and ensuring the security of our services are paramount to us. At Upbound, we prioritize top-notch security measures that begin with a strong foundation. This entails complying with security standards, conducting regular internal and external security assessments, and implementing secure software development practices.

Compliance

We have a team dedicated to our compliance program and are committed to providing our customers with all relevant security documentation to build a foundation of trust in our company and products. As of June 2023, we now have a SOC 2 Type II report. Other compliance reports will be coming soon.

AICPA SOC

SOC 2

SOC 2 is a restricted use audit report that focuses on controls relevant to security, availability, and confidentiality of a cloud service or product.

Request our SOC 2 Type II report for our Enterprise and Cloud Products by emailing security@upbound.io.

If you have any additional questions around our security program, please email security@upbound.io.
 

Privacy

Upbound respects your privacy and is committed to protecting your Personal Information (any information that relates to an identified or identifiable individual). We do not rent, sell or trade your Personal Information.

Our full privacy policy, including instructions for submitting a data request, is available at https://www.upbound.io/privacy.
 

Security

Penetration Tests

Upbound hires external, reputable third parties to perform regular security assessment and penetration testing of our products. Please email security@upbound.io if you need access to the full report.

Upbound Vulnerability Reporting

At Upbound, the security of our products is always top of mind. Any effort to discover and coordinate the disclosure of security vulnerabilities is a benefit for everyone. Upbound does not currently operate a public bug bounty program or offer monetary rewards for vulnerability reports, but we offer a Vulnerability Disclosure Program and encourage users to participate.

Upbound takes all vulnerability reports very seriously and aims to rapidly respond and verify the vulnerability before taking the necessary steps to address it. After an initial reply to your disclosure, which should be directly after receiving it, we will update you periodically with our response and remediation status.

If you would like to report a vulnerability in one of our products or services, or have a specific security concern regarding Upbound software or systems, you can report them by using our vulnerability reporting tool below.

Crossplane Vulnerability Reporting

Upbound believes in bringing best security practices to the open source Crossplane community. As maintainers of the open source control plane framework, Upbound team members worked with Cloud Native Computing Foundation (CNCF), Ada Logics, and OSTIF to complete a security audit of Crossplane.

The team also completed a fuzzing security audit of Crossplane, bringing continuous testing and peace of mind to the community. The audit bootstrapped stronger security processes for the project, and now community vulnerability reports can be disclosed following the Crossplane community security disclosure process.
 

Support

Bug and issue reporting

Upbound is committed to fixing issues fast and preventing regressions to make our software as stable as possible. We encourage customers to report any issues with Upbound products by contacting our support team directly at https://www.upbound.io/support/contact.

For issues with the open source project Crossplane, you can open an issue on the Crossplane GitHub page.

Availability

Upbound is committed to keeping our services available to our customers as much as possible. Real-time and historical availability information can be found at https://status.upbound.io.