Security and Privacy Guidelines
General Company Information
Docker, Inc. is a corporation registered in Delaware with its principal place of business in Palo Alto, California. Docker has subsidiaries in multiple countries. Docker and its subsidiaries are collectively described herein as “Docker” or the “Company”.
Organizational Security Measures
Global IT & Security Policy – Docker maintains a Global IT and Security Policy which is applicable to all of its employees and subsidiaries worldwide. The policy is consistent with all applicable local laws and ensures that employees are responsible for the safeguarding of company property and programs to which they have access.
Confidential Information – Docker employees are expected to respect and protect confidential information of the Company as well as any such information it may have as a result of a business relationship.
Physical and Technical Security Measures
Docker does not operate its own servers or networks. Docker relies on the services of Amazon Web Services for its storage requirements which are located in Virginia, USA. Docker utilizes third party application providers such as Google, GitHub, DropBox and Salesforce for its business requirements – it does not operate its own network for these applications or storage associated with such applications. Docker utilizes appropriate access controls for these applications, including multi-factor authentication as well as the services of single sign on provider Okta. Employees only have access to information for which there is a specific need to know. Docker operates its business on a fully remote distributed basis and does not maintain any physical office locations.
Data Privacy and Security
At Docker we take security seriously and consider it one of our top priorities. If you discover a security issue, please bring it to our attention.
Reporting a Vulnerability
Please DO NOT file a public issue, instead send your report privately to [email protected].
- Keep your report concise, preferably including steps to reproduce the issue and a proof-of-concept.
- Keep information about any vulnerabilities you have discovered confidential until we have had up to 90 days to resolve the issue.
- Please do not perform any security research which disrupts live services, violates privacy or corrupts other users’ data.
- Social engineering, physical attacks, denial of service and vulnerabilities in 3rd party components are considered out of scope.
We currently do not offer a paid security bounty program. Security reports are however greatly appreciated and if you are the first to report a verifiable security issue you will be publicly credited for it, unless you request otherwise.
Third Party Review
Docker does not act as a system of record for any of its customers and has not engaged any third party for any SOC compliance or similar review. The Company does have its financial statements audited annually. Docker is a private company and its financial information is company confidential information.
Software Development and Lifecycle
Docker has implemented and maintains a secure software development life cycle for all applications which integrate with its environment or are developed on its behalf. Docker observes industry standard application security guidelines such as Open Web Application Security Project (OWASP). Docker ensures that (a) regular reviews of application source code occurs, (b) developers receive detailed coding and design training in application security, and (c) development, testing, production and operational facilities are separated to reduce the risk of unauthorized access or changes to the production and operational systems.