Security

Identity and Access Management is a critical aspect of cloud security, and as such, security is our top priority when developing and maintaining IAM Zero. If you have any questions about our security program you may email security@commonfate.io.

Secure Design

The IAM Zero client libraries do not capture or transmit AWS credentials such as session tokens. The IAM Zero service is designed to be run locally on your own development computer or in your own cloud environment. No external connections are required to deploy or run IAM Zero.

Release Verification

Once binary releases of IAM Zero are created they will be signed with our PGP key. We are currently not yet hosting binary builds but it is possible to build IAM Zero from source code yourself. Once binary builds are available this page will be updated with instructions on how to verify the authenticity of a release.

Vulnerability Reporting

We deeply appreciate any effort to discover and disclose any security vulnerabilities in IAM Zero. We currently do not operate a public bounty program but individuals may be acknowledged in security notifications as appropriate.

If you would like to report a vulnerability in IAM Zero, please email security@commonfate.io rather than raising an issue on GitHub. We ask that you follow the responsible disclosure model. You may encrypt your message with our PGP key printed below. We take all vulnerability reports seriously and will rapidly respond and verify the vulnerability before taking steps to address it.

Penetration Testing

Before reaching a stable release of IAM Zero we plan to engage an external third party to conduct an independent security assessment of the application. Once completed this report will be available upon request by emailing security@commonfate.io.

PGP Public Key

Our PGP public key can be fetched from Keybase with fingerprint 65AB 725B 01E6 5C85 051F 9FD5 5024 78AB E3D8 ED71. A copy of the public key is included below.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGCb9UABEADcK6S4PPSDZRcgR4ToKvljghmL3m8v9A32CvHOTBpWumhfmHoi

9zDq/fB/vzhMcxGKrD4D64Rna3T2L2NGVEYTxwm4iwTNBNxKb1VFRlXKZtqXsYk6

JCplGLinkSROoZhhGFbJjUE5GGbnuhWgAZbJRd937rumHgA9RNXy2lV0APQo9qvR

TkOfqS8LgKNQDY7ljYcGsNgj1uWTqshsYzqm7D/QLy9L+9zR9nD7oO7yoJAmbeyO

RayAXcZZafw/SXHHZDeiuQgJwsuAP+Xgg63TGyAZgB/k73tAvw+CfNKejlan0r2u

I7JvP9RZI+q+UXVKtiWYCadvmMD6TnXpwlDguR1wF9O8I00UjSm9Uv8I4IHVlaO4

cX1NOfA4LaHEgH+43Zefkcl0kq1gkHOq34JjHf1DNAaxT4BDx8GZPIw14dXw3PLu

CF1xAjqTA5KuAH6A91ZeIkaYAWmZJeZo7HyLXhrN9oMeFY0EyAXBcnHLapHcqwlq

32eECjN1k6wgeiygNjOLvGx5n3UG5lTg3EJ3CIAwxnWROGQDnZ3u3ibxJi80saVv

IBpheTr+hIUQMal/3QKX4JRl/+CYbtypazIOc9UNRxEkRENqJTaD24ww//iyITXY

L5yXlhl5Z8nIJui4q3z1nBvmTBkF1H0BVacBPeI2abEXZjMp2L2FT7cZJQARAQAB

tCRDb21tb24gRmF0ZSA8c2VjdXJpdHlAY29tbW9uZmF0ZS5pbz6JAk4EEwEIADgC

GwECF4AWIQRlq3JbAeZchQUfn9VQJHir49jtcQUCYJv2rgULCQgHAwUVCgkICwUW

AgMBAAIeBQAKCRBQJHir49jtcXdeEACpc9jNKsZWKD6ozToKIK3/RBHNwfEIoaAb

8hvm18y51HA3ugKsSxjf2zkX8zwGpIdzM8QiMTKEAK2Ka0cYP9ZMGGE5NuzTy44S

P+MRUUvXC5QNSIfH+eD/PxNih2pxLzUGGaqMuPzHAP4aovx/0GMzFWpOR6AIgVHo

+zmygfpiWmYbBntDcMsRssTGkfnisuL/QJ7cWTl+mStg5wJybTXGdm6A6bGlqp3n

+UDjq1s9vQRfq1kFZJdu36LbG5OZMGVzQswtZtj5DOMSQWgwnJdSPjJrnFbe4ieu

3rFysdE3gu+ZFKdNN+v1FUOtwo0I3W7m2W4axJc3wpcQXbYZGw2RsAgWpKHSN8uV

zT9CYxl7MoANDvxwmQVLRFUao3qtSZVJtNo829145/dS88Auawf0PpV1yEFPf9Fk

WJQOVjSQnq8vwsoNivMOcBh+kpsYHVi9IEbMEBwK/FS79NFAl63tb4Z5JKHXLYEV

U5D/PmCFCd326QDAWzELvEAW45SH6G6TCSW2yy/Q2wf+VXfenm1THzCsIhaS0TDl

QCPM60uqzVy0Cg7TCbrIp4AKrZoAypd4fIzvsnVHZg6iqPHHT74ZKC4tyljWE0VJ

ZTqLrakjXyrNX03IHJ/qGplreOnK4sAm19kISVI3Np9XEllAhrDv8478nmM0Q66e

j14VQKjTlLkCDQRgm/vrARAAuqUKr/Gb2Il235ramYnjDzJH8zErpO90Cd7SXKMd

Btw5ArBG1k9d6QeorB/6Z21A3Xf0QphiUkfNeWXlkcewuFwDBJiIv4Y2XC/EzmxR

A9B0OX5A44TityUKWQbdNpxhNqiOEnqGqV2DVwxkOdeuaBc4cXbEKL+DRnZVMNdw

Bilakl3ZX5b8uyGXnZm4ExACi4Cs63r4vd3s0sQoT4YxiCusaVnJSsvt+Tk6qMcF

yqlWca9DBTsFXCkDCsBiXMDDkU+03rJvBsh1r+9ZqOGgrecB8hMCPrJ6omr4MLmt

wLFOFyYcsuar5IPUenws3g1NIK31kDX/I4ARN560LKovj8rSJOEFhAQ2JRPV0hJ8

iFqkq0+pJtlXMsq57SDgpaECJ+R+tkUuqal1W+cqiwW6yRP7GrqxPogJsThucES8

RiE3IT0IRBv70OYvP268Y/392p8VrBDifsy+BWfRrX6kLDSYKyCBrbeQ8dA4uk7Y

ZJg1p5uevCiCOQ+MbFucRHxHaLv7xf+3Gvac8R2F///T4NjxdcNWorz158ZuOb1G

3uN/4auwNFcDKv2+ASeTgTLZP1VBuOB9fieyY/9YI1d5wcxKQ+z69NQjYJNkxs7P

HZWEakuztIWna72KqEYVMs4+tVyli+2dkcJD8KpHlvoVKH6Vl7KCiic5lx6FPf+K

u0MAEQEAAYkEbAQYAQgAIBYhBGWrclsB5lyFBR+f1VAkeKvj2O1xBQJgm/vrAhsO

AkAJEFAkeKvj2O1xwXQgBBkBCAAdFiEEEOpsCUoAPpLrr9eQ7h1EHJHTBIUFAmCb

++sACgkQ7h1EHJHTBIXXMQ//b3o+gHVF4F82VXGA5HGu0I/Z+0Zn8NMNI9qRYDmp

DrMT4K8/XWqrPrGVORdDyd48CCMVfMrOEetWPmvd2JPSwJ/0flgwi0NdskMZN4D7

hrvva9WA7M43UV5ACqoulKg9wwsBc3ei9ee+xV5lenoKoaRkhUxP8VyMydPQy7MS

tz8LrX5KMFnITitus8U1fO8s9jdrdAbhDJGhDG2Qxn67DFDtgoUZv1Xk3GAM9pyX

L1Fn74waRGqaKRUx6BZA03DPPkbOuHAKGfCmsBqLMSWuVtx9JReL5DHZlSnK4guM

d3EBinYfF/gOU+OsujFhLPeDwh6D4cfYEyMQsmL6VNWlX4p75cHrtjDPIPwsDu1s

5gf37WwalrX68cbovoDJvO11VSLFy6cqDWfc25k1TYjDClb2pVwyL+kyoreBeSVD

SLI5aEgK22q5BxznLzbWnCgXi0+VdrbmRXi8LRepns5mfgWD/kOJgTAZRfQNb1G5

vLx+gxOv0h8m1aIXSPHlk1NQRBumpd4CgEsWaod5q7LhYOeP0hys8k//hWU2XWsy

v45jBAcDO6XR37uys5CE7w9e+q0cQDSx7xmuy+DW9oI65+RKcK3muGesBnoAf9BE

YsQkg6/cijiPwda3IDhptHm5R3pfqZPDlziTeEKx/TBoQHNWmwI3AYH1v1aFsWeU

+f82Cw/9HWMFl3zo3KbWI4tdHTIOgD6UpeInXs45gXMDs/iw4mNQWnCcLDngwI82

o0AZHX25WKmHSg6LEAoQgE/GpSBo4tzOcDftsUa8/zDpW88faNTKTcaxjVUuixsx

xTgRF2hAwLYDZ/UcOT0hMrM2FN4K/2QpZQLOCQOSU8hdSPHIW/Kop7F/Horwt4Sl

yyWehBH4CRy6WXokoa2kBGchfTQ2h8ROuIAF45ODvwzfBxzpl4FnTZVbsv1Sh+9n

h8PQfjcBoH6o/c5Ti5iBmUKWIlGcnTceaT4quOVy7dYOueO89phVfh12EX1fOifn

zZtx5pHGGT9atgCcXY0CAgmzR1oFfge6+wZX9DAOYPicl8gnWSBnwYzOLEu7+5df

OmbADgOWDYwSxtaWdoXnQzizUYHcRerwVGsuqhb7CcQ5FiZgOX6EIpCitlz9gznG

PPsVpxOVETwcARmwLAo+yfL4Ci5ArNaauisxGO4ioDZvTuUgzFfMDVDINizwa8tG

0BSfD7EHeCs6pRA6HbHfSsBQ+gdCI0LnT0b+S8G5C4YCaGIGhvnHG8sCYan44ZNo

47Ez4Z1hPjgVwo2I+grqvRStnRs8i8O18z5xLwx9g5o6FUjXm3ez/MylV/UoL3zB

arzOaipAdOuTFwxC95aansKixfjvulqFbbJWRzx96Ipr3NoSP+g=

=DqSH

-----END PGP PUBLIC KEY BLOCK-----