Polyaxon is committed to developing secure, reliable products utilizing all modern security best practices and processes.
We take security very seriously at Polyaxon and welcome any peer review of our open-source codebase to help ensure that it remains completely secure.
Polyaxon allows and recommends setting an SSL for your deployments.
The admin view is disabled by default, and can be easily enabled.
Polyaxon performs strong serialization and validation on all data that goes into the database, and follows industry best practices when uploading files.
All user invitation and password reset tokens are base64 encoded with serverside secret. All tokens are always single use and always expire.
Polyaxon follows best practices for authentication with all passwords hashed and salted properly to ensure password integrity.
Polyaxon core API runs on django, and uses it's ORM for creating queries, there's no query builder and we do not generate raw SQL queries with interoperable variables.
Polyaxon uses safe/escaped strings used everywhere.
All dependencies used in Polyaxon are scanned and reviewed carefully.
We invite any Polyaxon user to take part in responsible disclosure of any vulnerability.
- Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept
- Make a good faith effort to avoid privacy violations, destruction and modification of data
- Give reasonable time to correct the issue before making any information public
Security issues always take precedence over bug fixes and feature work. We can and we will make expedite releases/patches mark releases for serious security issues.
We're always interested in hearing about any reproducible vulnerability that affects the security of Polyaxon users, including...
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Server Side Request Forgery (SSRF)
- Remote Code Execution (RCE)
- SQL Injection (SQLi)