Polyaxon is committed to developing secure, reliable products utilizing all modern security best practices and processes.
We take security very seriously at Polyaxon and welcome any peer review of our open-source codebase to help ensure that it remains completely secure.
Security features
SSL
Polyaxon allows and recommends setting an SSL for your deployments.
Admin view
The admin view is disabled by default, and can be easily enabled.
Data validation and serialization
Polyaxon performs strong serialization and validation on all data that goes into the database, and follows industry best practices when uploading files.
Encoded tokens everywhere
All user invitation and password reset tokens are base64 encoded with serverside secret. All tokens are always single use and always expire.
Password hashing
Polyaxon follows best practices for authentication with all passwords hashed and salted properly to ensure password integrity.
SQLi prevention
Polyaxon core API runs on django, and uses it’s ORM for creating queries, there’s no query builder and we do not generate raw SQL queries with interoperable variables.
XSS prevention
Polyaxon uses safe/escaped strings used everywhere.
Dependency management
All dependencies used in Polyaxon are scanned and reviewed carefully.
Responsible disclosure guidelines
We invite any Polyaxon user to take part in responsible disclosure of any vulnerability.
- Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept
- Make a good faith effort to avoid privacy violations, destruction and modification of data
- Give reasonable time to correct the issue before making any information public
Security issues always take precedence over bug fixes and feature work. We can and we will make expedite releases/patches mark releases for serious security issues.
Issue triage
We’re always interested in hearing about any reproducible vulnerability that affects the security of Polyaxon users, including…
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Server Side Request Forgery (SSRF)
- Remote Code Execution (RCE)
- SQL Injection (SQLi)