Security
Identity and Access Management is a critical aspect of cloud security, and as such, security is our top priority when developing and maintaining Granted. If you have any questions about our security program you may email [email protected].
Design notes
Granted utilises the AWS Go SDK v2 for all credential exchange processes including handling of the AWS SSO login process. This SDK is officially supported by AWS.
Release Verification
Glide signs Granted binaries with our GPG key. You can verify the integrity and authenticity of a Granted binary by following the process below.
Prior to verifying a release you must import our GPG key
-
Download the Granted release artifact you wish to verify (we will use the Linux
x86_64
version as an example): -
Download the checksums for the release:
-
Download the signature file:
-
Verify the integrity of the release artifact:
You should see an output similar to the below:
-
Verify the integrity and authenticity of the checksums:
Firefox addon security
The Granted Firefox addon operates with the minimum possible permissions and does not have the ability to read information from any web pages. By design, the extension does not have permission to read any information from the DOM when you are accessing cloud provider consoles. The extension uses a Background Script which can’t directly access web page content.
The permissions that this extension requires are:
Permission | Reason |
---|---|
contextualIdentities | used to manage tab containers via the contextualIdentity API |
cookies | required to access container tab stores in order to list available identities |
tabs | required to open a new tab in a container |
storage | required to store information on the list of available containers |
Additionally, the source code for the addon is available on GitHub under the MIT licence. Security-conscious users may opt to build the extension from source and install it locally: instructions on how to do so are available in the GitHub repository.
Vulnerability Reporting
We deeply appreciate any effort to discover and disclose any security vulnerabilities in Granted. We currently do not operate a public bounty program but individuals may be acknowledged in security notifications as appropriate.
If you would like to report a vulnerability in Granted, please email [email protected] rather than raising an issue on GitHub. We ask that you follow the responsible disclosure model. You may encrypt your message with our PGP key printed below. We take all vulnerability reports seriously and will rapidly respond and verify the vulnerability before taking steps to address it.
PGP Public Key
Our PGP public key can be fetched from Keybase with fingerprint 65AB 725B 01E6 5C85 051F 9FD5 5024 78AB E3D8 ED71
. A copy of the public key is included below.
Linux package checksum verification
Common Fate’s Linux repositories are signed with a separate GPG key. The key is available at https://apt.releases.commonfate.io/gpg
and has the fingerprint 783A 4D1A 3057 4D2A BED0 49DD DE9D 631D 2D1D C944
. A copy of the public key is included below: