Security

Our Security Policy

We understand that many users place a high level of trust in HashiCorp and the products we make to manage mission critical infrastructure. The privacy of customer data and the security of our solutions and services are a top priority. That's why we apply widely accepted best practices when it comes to security.

Privacy

HashiCorp has a privacy policy page that discloses what information may be collected and how it is used. For any specific questions, please contact privacy@hashicorp.com.

Vulnerability Reporting

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly.

If you would like to report a vulnerability in one of our products, or have any security concerns with HashiCorp software, please e-mail security@hashicorp.com.

For non-critical matters, we prefer customers open a ticket with the appropriate product. In order for us to best investigate your request, please include any of the following when reporting:

  • Proof of concept
  • Any tools, including versions used
  • Tool output

We take all disclosures very seriously and will do our best to rapidly respond and verify the vulnerability before taking the necessary steps to fix it. After our initial reply to your disclosure, which should be directly after receiving it, we will periodically update you with the status of the fix.

Secure Communications

If you would like to secure your communications with us, the following PGP key can be used. You can also fetch our key from Keybase or from most keyservers with the key ID 51852D87348FFC4C and fingerprint 91A6 E7F8 5D05 C656 30BE F189 5185 2D87 348F FC4C.

    -----BEGIN PGP PUBLIC KEY BLOCK-----

    mQENBFMORM0BCADBRyKO1MhCirazOSVwcfTr1xUxjPvfxD3hjUwHtjsOy/bT6p9f
    W2mRPfwnq2JB5As+paL3UGDsSRDnK9KAxQb0NNF4+eVhr/EJ18s3wwXXDMjpIifq
    fIm2WyH3G+aRLTLPIpscUNKDyxFOUbsmgXAmJ46Re1fn8uKxKRHbfa39aeuEYWFA
    3drdL1WoUngvED7f+RnKBK2G6ZEpO+LDovQk19xGjiMTtPJrjMjZJ3QXqPvx5wca
    KSZLr4lMTuoTI/ZXyZy5bD4tShiZz6KcyX27cD70q2iRcEZ0poLKHyEIDAi3TM5k
    SwbbWBFd5RNPOR0qzrb/0p9ksKK48IIfH2FvABEBAAG0K0hhc2hpQ29ycCBTZWN1
    cml0eSA8c2VjdXJpdHlAaGFzaGljb3JwLmNvbT6JAU4EEwEKADgWIQSRpuf4XQXG
    VjC+8YlRhS2HNI/8TAUCXn0BIQIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAK
    CRBRhS2HNI/8TJITCACT2Zu2l8Jo/YLQMs+iYsC3gn5qJE/qf60VWpOnP0LG24rj
    k3j4ET5P2ow/o9lQNCM/fJrEB2CwhnlvbrLbNBbt2e35QVWvvxwFZwVcoBQXTXdT
    +G2cKS2Snc0bhNF7jcPX1zau8gxLurxQBaRdoL38XQ41aKfdOjEico4ZxQYSrOoC
    RbF6FODXj+ZL8CzJFa2Sd0rHAROHoF7WhKOvTrg1u8JvHrSgvLYGBHQZUV23cmXH
    yvzITl5jFzORf9TUdSv8tnuAnNsOV4vOA6lj61Z3/0Vgor+ZByfiznonPHQtKYtY
    kac1M/Dq2xZYiSf0tDFywgUDIF/IyS348wKmnDGjuQENBFMORM0BCADWj1GNOP4O
    wJmJDjI2gmeok6fYQeUbI/+Hnv5Z/cAK80Tvft3noy1oedxaDdazvrLu7YlyQOWA
    M1curbqJa6ozPAwc7T8XSwWxIuFfo9rStHQE3QUARxIdziQKTtlAbXI2mQU99c6x
    vSueQ/gq3ICFRBwCmPAm+JCwZG+cDLJJ/g6wEilNATSFdakbMX4lHUB2X0qradNO
    J66pdZWxTCxRLomPBWa5JEPanbosaJk0+n9+P6ImPiWpt8wiu0Qzfzo7loXiDxo/
    0G8fSbjYsIF+skY+zhNbY1MenfIPctB9X5iyW291mWW7rhhZyuqqxN2xnmPPgFmi
    QGd+8KVodadHABEBAAGJATwEGAECACYCGwwWIQSRpuf4XQXGVjC+8YlRhS2HNI/8
    TAUCXn0BRAUJEvOKdwAKCRBRhS2HNI/8TEzUB/9pEHVwtTxL8+VRq559Q0tPOIOb
    h3b+GroZRQGq/tcQDVbYOO6cyRMR9IohVJk0b9wnnUHoZpoA4H79UUfIB4sZngma
    enL/9magP1uAHxPxEa5i/yYqR0MYfz4+PGdvqyj91NrkZm3WIpwzqW/KZp8YnD77
    VzGVodT8xqAoHW+bHiza9Jmm9Rkf5/0i0JY7GXoJgk4QBG/Fcp0OR5NUWxN3PEM0
    dpeiU4GI5wOz5RAIOvSv7u1h0ZxMnJG4B4MKniIAr4yD7WYYZh/VxEPeiS/E1CVx
    qHV5VVCoEIoYVHIuFIyFu1lIcei53VD6V690rmn0bp4A5hs+kErhThvkok3c
    =+mCN
    -----END PGP PUBLIC KEY BLOCK-----

Checksum Verification

If you would like to verify the checksum of a HashiCorp download (such as one from the HashiCorp releases service), please note that only the SHASUM file is signed by the GPG key above. The binaries themselves are not signed, but rather hashed. To verify the integrity of a particular binary:

  • Download the binary, SHASUM, and SHASUM.sig files
  • Verify the SHASUM file is properly signed
  • Verify the SHASUM in the file matches the binary

For example:

# This is the public key from above - one-time step.
gpg --import hashicorp.asc

# Download the binary and signature files.
curl -Os https://releases.hashicorp.com/vault/0.5.2/vault_0.5.2_linux_amd64.zip
curl -Os https://releases.hashicorp.com/vault/0.5.2/vault_0.5.2_SHA256SUMS
curl -Os https://releases.hashicorp.com/vault/0.5.2/vault_0.5.2_SHA256SUMS.sig

# Verify the signature file is untampered.
gpg --verify vault_0.5.2_SHA256SUMS.sig vault_0.5.2_SHA256SUMS

# Verify the SHASUM matches the binary.
shasum -a 256 -c vault_0.5.2_SHA256SUMS