Network / Infrastructure Security

We use established best practices to provide cloud security. Those practices and their applications are also publicly available in our GitHub repository. In summary, we take the following steps.

  • For our managed service, we review and select hosting providers based on their physical and digital security practices.
  • Elastic Compute: We use Linux KVM for full virtualization. We further use the Cloud Hypervisor as our virtual machine monitor (VMM); and contain each VMM within Linux namespaces for isolation and security.
  • Block Storage: We use Storage Performance Development Toolkit (SPDK) to provide virtualized block storage to VMs. We encrypt the data encryption key itself, ensuring that a compromised host isn’t enough to decrypt customer data. We also regularly rotate encryption keys.
  • Virtual Networking: We use IPsec tunneling to establish an encrypted and private network environment; and regularly rotate encryption keys. For security, each customer’s VMs operate in their own networking namespace.
  • Firewalls: By default, we block incoming traffic to all virtual machines (VMs). The exception to this is our managed PostgreSQL database, which allows incoming traffic to the PostgreSQL port (5432). We allow connections initiated by the VM and any return traffic.

Software Security

Ubicloud cloud services are available under the AGPL v3 License. We follow an open development model and our source code is available for review in GitHub: https://github.com/ubicloud/ubicloud

Additionally, we follow standard security best prices to receive vulnerability alerts. These include:

  • Code scanning alters through industry-leading semantic code analysis engine CodeQL
  • Security issue alerts through language specific static code analysis engine Ruby Brakeman
  • Secret scanning alerts
  • Dependabot alerts to receive notifications when one of our dependencies has a vulnerability

Security Issues

Reporting A Security Vulnerability

If you have a security concern or believe you have found a vulnerability in our infrastructure, please send your report to [email protected]. This will give us a structured way to track and respond to your concerns.

When we receive your report, we will reply within 24 hours and issue you a ticket ID for future tracking.

Vulnerability Remediation

We will investigate each reported vulnerability according to its severity. We will then patch or remediate each issue within a timeframe that’s appropriate to the vulnerability’s severity, given that a patch or remediation steps are available.

Severity: Timeframe

  • Critical: 24 hours
  • High: 1 week
  • Medium: 1 month
  • Others: As necessary

If your vulnerability report includes a severity rating, we’ll use that as our starting point. Based on our investigation, we may upgrade or downgrade the severity rating.