Security Is in Our DNA

Do you have a security concern that you'd like to report?
Report an Issue
Security is a top priority at Kolide and at the heart of everything we do. We take on this awesome responsibility with humility, vigor and passion; building tools and services that are both honest and ethical.

Our Security Values

When it comes to our product's security, Kolide takes a strongly opinionated and common-sense stance. This perspective is embodied in three core values:
🔒
Simple Designs Yield Secure Outcomes
Kolide designs sensitive systems to be simple, reliable, and boring. We naturally shy away from convoluted architectures with unproven security benefits.
Read An Example
It Is Not Secure Until Experts Have Vetted it
Real security requires regular validation by experts. At Kolide, this includes professional compliance auditors, pen-testers, and independent security researchers.
Download our SOC2 Report
👐
Honesty and Transparency by Default
Kolide open sources its agent code and provides an honest and complete accounting of its capabilities and usage directly to end-users via the built-in Privacy Center.
Read Honest Security

Product security

Auth, SSO, and Passwords

Beyond password-based authentication, Kolide offers OAuth sign-in through Slack and Google. Additionally, Kolide is compatible with SAML-based SSO providers like Okta, OneLogin and others.

For password-based authentication, Kolide hashes all passwords with BCrypt. Additionally, at sign-in, Kolide checks all passwords against Troy Hunt's Pwned Passwords API (v2) using the K-Anonymity model.

Shortly after signing in, Kolide requires users to re-authenticate when they perform sensitive actions like adding or removing users, or creating API keys. We call this feature "sudo mode".

Kolide's API key authentication is resistant to timing attacks and has a bespoke and documented format which can be identified with security tools like semgrep

Data Encryption

All web, API, and endpoint agent traffic sent to or from Kolide's application uses HTTPS with TLS 256 bit encryption. Kolide uses HSTS preloading and leverages Let's Encrypt to automatically renew TLS certificates.

Customer data transmitted to Kolide's service that is earmarked for long-term storage is encrypted at rest with AES-256, block-level storage encryption. Keys are managed by Amazon, and individual volume keys are stable for the lifetime of the volume.

Bug Bounty Program

Kolide runs a generous bug bounty program (facilitated through HackerOne) to incentivize independent security researchers to responsibly disclose vulnerabilities. This program covers: Kolide's web application, the API, and the Kolide agent.

To request an invitation to the program, please reach out to security@kolide.co

Role-Based Access and Permissions

Kolide offers a "limited-user" role which allows administrators to grant access to only a subset of Kolide's features. Kolide also offers customers the ability to generate API Keys with a custom set of "write" permissions.

Customer & End-User Accessible Audit Logs

Kolide maintains a customer accessible audit log of meaningful user interactions which can be accessed in the UI or programmatically via a REST API. Additionally, Kolide offers each end-user a personalized Privacy Center which features an audit log that displays impactful events, such as ownership assignment, and live queries issued against their devices.

Secure SDLC

Kolide develops its product with a continuous application deployment model. In this model, all code must be reviewed by qualified Kolide engineers before it is merged into the main-line branch and deployed to production. Additionally, Kolide uses automated tools that continuously analyze the code-base for vulnerable dependencies, unsafe coding practices, and inadvertent inclusions of sensitive data.

Logging and Alerting

Kolide collects, sanitizes, and aggregates logs for all web, API, and agent communication. These logs are structured, auditable, searchable, and are retained for at least 30 days.

Additionally, Kolide sends alerts to on-call engineers for notable events. These include run-time exceptions and other signals that may indicate abusive behavior or potential application performance and availability problems.

Payment Security

All credit card payments made to Kolide go through our partner, Stripe. Kolide itself never stores credit card information. Details about Stripe's security practices and PCI compliance can be found on Stripe's security page.


More From Kolide

Deep-dives, tutorials, and thought leadership.

Inside Kolide
Kolide's 30 Line Rails Multi-Tenant Strategy
Jason Meller
News
Honest Security: One Year Later
Jason Meller
Inside Kolide
How We Securely Autoupdate Osquery at Kolide
Kolide

Problems?

Do you have a security concern that you'd like to report?
Report an Issue