Secure Development Practices
Root uses its own products internally. The software that runs Root’s platform - the AVR pipeline, API services, and registry infrastructure - is built and deployed using Root Image Catalog and Root Library Catalog. This means Root’s own images and packages are continuously patched by the same pipeline it provides to customers. Code review: All changes to Root’s platform require peer review before merging. No direct pushes to main branches. Security-sensitive changes (authentication, data handling, cryptographic operations) require review from a senior engineer. Dependency management: Application dependencies are managed through Root Library Catalog. All direct and transitive dependencies in Root’s services are resolved throughpkg.root.io, ensuring that vulnerable dependencies are patched before they reach production.
Secret scanning: Automated secret scanning runs on every commit. Credentials, API keys, and tokens are never committed to source control.
SSDLC (Secure Software Development Lifecycle): Root’s development process includes security requirements at the design stage, threat modeling for significant features, and security-focused code review criteria.
Infrastructure Security
Cloud provider: Root runs on AWS. All services are deployed in VPCs with private subnets for application workloads. Public-facing endpoints are protected by load balancers and WAF rules. Network segmentation: Application services, data stores, and build infrastructure run in separate security groups with minimal required connectivity between them. The AVR build pipeline runs in an isolated network segment with no inbound internet access. Encryption at rest: All data stored by Root - PostgreSQL databases, S3 buckets, Redis - uses encryption at rest with AWS-managed keys (AES-256). Encryption in transit: All communication between Root services and between Root and its customers uses TLS 1.2+. Registry credentials are never transmitted in plaintext. Access control: Production access requires MFA. Access to production systems is granted on a least-privilege basis and reviewed quarterly. Engineers have no standing access to production customer data.Vulnerability Disclosure Policy
Root welcomes responsible disclosure of security vulnerabilities in its platform. To report a vulnerability:- Email security@root.io with a description of the issue
- Include steps to reproduce if possible
- Root will acknowledge receipt within 1 business day
- Root commits to providing an initial response within 5 business days
- Exploit vulnerabilities beyond what is necessary to confirm the issue
- Access, modify, or delete customer data
- Perform denial-of-service testing
Penetration Testing
Root conducts third-party penetration testing annually covering the Root API, registries, and platform web application. A summary of the most recent penetration test is available to enterprise customers under NDA. Contact your Root account representative to request it.Data Handling
What Root collects: When you pull an image or package from Root’s registries, Root logs:- The image or package name and version pulled
- A timestamp
- Your organization identifier (not individual user identity for package pulls)