We don't stop at keeping your code safe. When your team's developers use Sourcegraph, they can discover and use your own security best practices much more easily in your own code. Your team can also more easily enforce security standards during code review.
If you have specific questions or concerns, contact us at [email protected].
Sourcegraph instances that host private code are typically deployed on-premise and therefore Sourcegraph employees have no access to customer data or code.
Self-hosted Sourcegraph instances do not send any customer code to other servers.
Additionally, other than the email address of the initial installer (for customer support, security, and product notification purposes) Sourcegraph never sends any private user data, such as usernames or email addresses, or other specific data to any other servers.
Learn more in our pings documentation.
Sourcegraph can be configured to enforce repository permissions from code hosts.. Unit and integration tests protect the correctness of these permissions checks.
When you run Sourcegraph on your own infrastructure, you are protected by the network security policies enforced by your infrastructure environment. On sourcegraph.com, we maintain the following policies:
Sourcegraph supports HTTPS encryption when deployed on-premises.
Code reviews are mandatory for all code changes to our product. Security-sensitive pull requests must undergo review by the proper security code owner. Furthermore, we use Sourcegraph to provide critical context during code reviews (such as identifying dependencies of modified code).
We use a number of static analysis tools to identify security risks in development, including the following:
All development laptops have encrypted hard drives.
If you think that you have found a security issue, please email us at [email protected]. Please do not publicly disclose the issue until we’ve addressed it.
We provide monetary rewards, up to $10,000, for reporting security issues. This is determined based on the percentage of users impacted, the likelihood of encountering the vulnerability under normal use of the product, and the severity of potential service disruption or data leakage. Bounties will be awarded after the issue is confirmed fixed.
For additional information, see the internal Sourcegraph Handbook page on security.