At Harness, the security and privacy of customer data, intellectual property, and personal data are top priorities. We maintain a geographically diverse security team dedicated to operating and continuously improving our security and compliance programs.
If you believe you have discovered a critical security bug or vulnerability, please contact [email protected]. We’ll get back to you within 24 hours or sooner.
If you’d like to participate in our private bug bounty, please reach out with your preferred email address. We request that you do not publicly disclose the issue until we have had a chance to address it.
Harness takes security seriously, and has implemented a comprehensive security program to protect customer data. Each year, we undergo third-party audits and technical assessments of our security capabilities. To request a copy of our latest reports, please reach out to your account representative or [email protected].
Harness has intentionally minimized the amount of personal data needed to use our platform. In some circumstances, we may require personal data to facilitate your use of the platform, or to improve our websites and services.
Harness conducts risk assessments on at least an annual basis, and on-demand for significant changes to the environment. The output of the risk assessment is a report identifying and classifying risks, which are reviewed with management and stakeholders and tracked in a risk register. As a complement to the risk assessment process, Harness also conducts annual application business impact assessments to validate controls and security posture of critical systems.
Harness maintains a vendor risk management program that includes regular monitoring and assessment of suppliers’ ability to comply with security and compliance requirements. The scope of this program includes both business systems and technical assets used for service delivery.
Harness conducts risk-based threat modeling for critical application features and components, including new features and modules.
All Harness employees use Single Sign On for access to critical business systems, and we’ve adopted two-factor authentication across our estate wherever possible.
When new employees start, one of their first tasks is to attend security and privacy awareness training. We also conduct annual and ongoing security and privacy awareness training for all employees.
We use industry leading SAST, DAST, and SCA tools to discover vulnerabilities in our codebase and images. Findings are handled according to our documented Vulnerability Management policy and procedures.
We conduct internal technical security assessments on a regular basis, and track all findings through our vulnerability management process. We also engage with trusted third parties to complete network and application penetration tests at least annually.
We have audit logs enabled in our environment to identify anomalies, measure efficiency, and demonstrate compliance.
We maintain a dedicated Incident Response function, and keep customers updated on operational incidents through our Status Page.
The Harness Delegate is a service running in your local network or VPC to connect all of your artifact, infrastructure, collaboration, verification and other providers with the Harness Manager.
Harness follows a documented secure SDLC for all development (SaaS and on-prem) to ensure the integrity of software updates distributed to customers. The SDLC includes steps to conduct PR reviews, Static Code Analysis Testing, Dynamic Application Security Testing, regular penetration testing, and risk-based threat modeling for critical components.
Harness Security reviews each image released to production, and provides a “safe image” for the given deployment. This safe image ensures that third-party dependencies have been procured from trusted resources, and that relevant operating system hardening has been implemented.
Harness has implemented layered technical controls, including an automated scan integrated into our CI/CD pipeline to enumerate third party security vulnerabilities, manual code review, and hardened production images.
Harness production secrets are stored using dedicated secret management technologies. Customers can use the built-in Harness Secrets Manager, or integrate an existing third-party solution.
Data submitted to Harness is encrypted with TLS 1.2 or better over the public internet.
Data stored in Harness SaaS environment is encrypted at rest with AES 256.
Harness supports both local authentication and integration with your corporate Identity Provider. See our technical documentation for a detailed walkthrough on how to configure SSO. You can enforce Two-Factor Authentication through Harness or your Identity Provider.
We perform regular backups of our systems and data stored in the Harness platform. Data is encrypted at rest, and access to data stores is restricted by the principle of least privilege.
Harness maintains a documented BCDR program, which is tested at least annually. Our RPO is 6 hours, and RTO is 4 hours.