Skip to content

Security at Fugue

security_competency

Bulletins

2021/12/13, updated 2021/12/17
Fugue is aware of the security issues affecting the Apache Log4j library, CVE-2021-44228 and CVE-2021-45046. The Fugue Platform, including its engine, API, client, and Regula, are not written with Java components and are therefore not affected by this issue. Fugue's reporting components are operated by Google Looker and were patched on December 13th, 2021 for CVE-2021-44228 and on December 16, 2021 for CVE-2021-45046. Fugue customers do not need to perform any remediating actions at this time. We are actively tracking AWS's remediation for the services Fugue is built on. For more information please see the AWS response.

Attestation and Certifications

Fugue is SSAE-18/SOC 2 Type II Compliant
Fugue is CIS Certified

cis

Our Security Philosophy

Security is a first-class citizen at Fugue, and we are committed to ensuring the security of our customers and their data.

Securing Your Data

The following technical and organizational measures are performed on the processes taken by Fugue:

Physical access controls:

  • Fugue is built on Amazon Web Services and leverages all the platform's available security, privacy, and redundancy features
  • AWS maintains controls regarding physical and environmental security according to the shared responsibility model
  • Fugue is serverless by design to reduce attack surface and decrease operational overhead

Logical access controls:

  • Access to production data systems is denied by default
  • Audits are performed quarterly to ensure appropriate levels of access are authorized and commensurate with employee job function
  • Fugue's data stores are private with a number of restrictions to ensure they are not publicly accessible
  • Fugue scans itself to continuously monitor for security and compliance issues
  • Fugue employs security automations backed by AWS WAF
  • Fugue employs AWS services for IDS/IPS functionality across all production accounts

Operational controls:

  • All Fugue employees undergo a thorough background check before hire
  • All employees sign a proprietary information and inventions assignment (PIIA) at time of hire
  • All employees undergo security training at time of hire and annually thereafter
  • Fugue's critical vendors are reviewed annually
  • Fugue exercises incident response policies and procedures annually
  • Fugue undergoes annual risk discovery exercises followed by semiannual check-ins
  • Device security is audited quarterly
  • Third party packages are checked for vulnerabilities on each commit, including in Javascript, Go, and Python code and audited quarterly
  • Fugue follows the latest NIST guidelines regarding password and MFA requirements
  • Fugue leverages third parties to conduct penetration and vulnerability testing
  • Fugue conducts application vulnerability scans quarterly using industry standard tools

Storage controls:

  • All data is encrypted at rest
  • All data is stored using highly available and durable services

Transmission controls:

  • All data is encrypted in transit using TLS 1.2 and above protocols
  • Removable storage is not used

Availability controls:

  • Fugue maintains business continuity and disaster recovery plans
  • Disaster recovery is tested annually or when significant changes occur to the infrastructure
  • Disaster recovery is conducted in a separate AWS account to ensure no production disruptions
  • Backups occur continuously and are stored in a separate AWS account with restricted access
  • Backups are encrypted at rest and in transit to the backup account

Separation controls:

  • Fugue maintains separate accounts for development, staging, and production
  • Data is segmented such that no production data can be moved to non-production environments

Report an Issue

Security belongs to everyone, including you. Fugue highly values and encourages participation from our community using our responsible reporting process.

We're very appreciative when members of the security community report vulnerabilities to us.

Report these issues directly to security@fugue.co

Please use these guidelines:

  • Use our PGP key (available below) to encrypt your report
  • Do not submit vulnerabilities through the Fugue UI via Receptive
  • Give us enough detail to reproduce the vulnerability

Responsible Disclosure

Fugue will investigate all reports and act to remediate vulnerabilities as quickly as possible. We will not take legal action against you provided you comply with the following:

  • Do not access or modify data that does not belong to you
  • Do not attempt to DOS the UI or API
  • Allow us a reasonable amount of time to respond to, evaluate, and resolve security incidents before making any information public

PGP Key

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFzv5wUBEACsMQiuBE9MXXskyB74UHflEafPuCbQ164Etc4CxtZG+p7kDDfg
iExR3J+eXxClTf15orG7SL9DZ1zOi5oOgHEcZpsh4dnLUwsKK1lGSzqKw/r9Br/g
HpMuAGllYaVnh56CaDkzWsthIQNgyncu0O7LCQcKnBRVojtPGHTpEdh+Y6fPj/lD
O9NupZOEq4lktAz0VJ81S2boq45x4sd4QgLEcD8QCdB8wQ8dWYzgUyJ+alXb9LpM
IdDGMSxEI3FpMi6tTELCW5lc+axUW+URfDlVUs02lTZiCQCZQGqvb+ZlmK1lrs4T
dHFbtIPmVokKGD36B0NF3Li4AbCrvmMZ2NOoBtf2g49y+BAG33v1SonrKltoU3P6
39mgn0r19xIUweE6ja5xzX3vKVWdOJShRB3ySoM8zXZz6JixumTYxzQ9HLNHcer1
osUDxTREdCpCbFouhm3hYEqLWpxIoLGpBOc/nGRJybxDdmhgTrzmthErJKzEcuBT
5c86qoWTe32J4JCRg97D/53krKwfHML/J9cIDmdsNTm/cDnB0iwdDvKi/n8cOXz2
+ys7cIgsSX4hos8Q3RCWgRCHmYs/b25zlpHhUV0jMN0OFx0bK9pwVT4dfHbfBGnl
4jQVFY7E1AoZ7QtWk+K7M0Vw91dnzM4Smhh+N0BOXJnczcP/zLlPk4SzeQARAQAB
tCRGdWd1ZSBEaXNjbG9zdXJlIDxzZWN1cml0eUBmdWd1ZS5jbz6JAlQEEwEIAD4W
IQTyRF4aRNRNgauzolCOM450i4zWkQUCXO/nBQIbAwUJCWikgAULCQgHAgYVCgkI
CwIEFgIDAQIeAQIXgAAKCRCOM450i4zWkRyDD/9rIPDUoiyi8DY3NYd7mm9XCY0F
N8yTfLtkE21BvPjyfdGWbc3G0hX/cJjkOBxGMtLUBavJFC7+e1ZYaQM3bCYpppNd
3W44+/H4WNAav2PoFb06XDXbulEVfk7dFr56df9+JNyBxyCWtlnsm4CEzH7ibgf/
2ktpQ4nVO0N/Qx9YzVcbSL3Evntvt0wmCLzZnobr6JEFnFW2IZkAAdmn9TWVffCS
VE+NVc2C+HIsrla3fGlrMo5OJzn+bPyiDkRP7wKKee3kCYh1iJaSvOlgxBYAqKc4
hqcYcL4/1JBalW+Wqd/xRpAXTpff9A9U2b6DGeO8ocPHk4Fdd0LuRKIsCS/qvIa+
DKrvLLBeZYej3dwK288naMSiwwHdkaz7Sw7fzA/2t/USfv0lQBhxdGapTNEWAeMc
umZk0nPLT+5XGbT/SRafpDGj6jlDnNJJRKJwri/xtRblUhbklBnip49A2Gs8tKY8
ldbxd9yZ+BpYL5SwPwVuN25SNODMTEPh/HqpQPV0Z9mBlhn8sNQhHGugROTXC1v3
ATMtpFpk/fTkIfDp5PTfleAcxfebxVkIhLwpIcELtPC0XbQ4dXc1BYzNnbRuV4RH
42gNWnOK+a3vz48nW4u1gfp7DDrRNPk9waIFgQWGzZrnxRMmocvJq0bELP9k0UuP
HqsyyFrfbgvDhpVYnLkCDQRc7+cFARAAtAI6IE1Oo2dkzZcLNYScU/Ond5RJkOpc
gFjH1JXPc+KDG8EjkACJJ5bHGOo6zLxKPXzFfdBDn/oOPzq5gpVJzCdi9v88Rs/F
XEblm/9Ctf+wyLS9jRX67po8wELgk4JOBKKlnkX9gu3N1UObQoQ9V2Bb3PHSBQX1
w29Ax0aP/yOSz09VbfzE9VHnZ1tw/Wj7P/WAbxiQI5MsXOysv1tW4+v+Lt9yr4cg
t7oqz2lpre2JDGXCoAZz3bKvnprTI6SGgT0eE4GtcNur9lw7m1l1b75+gSwzYWfh
dni/Yls5Ll7/zFeQtwBVK1CtXTh7IQjFkzoYv3h8/bb/L9chDSR7WOsE3Wn4QGCy
SAcSPXlNfvfu417WDsjyUvrVSYOXGCDLzbail4eruYOGX72Fv/qUfrG5NSTW8Xgf
9LUAeycuHfmbTigZ5G2lnAQynrk2+gM2Lq0WsXN1VWG2S7/iDoqiFEb66ZLeb7gI
WDS96KYygpFc5M8vnzEReDNATjZUib4zkLmI3QIpeGPGg9j7u5yh7gDS2CgD4e6r
BZt7tQLuQwUsqMy1z9rSJ1ZuLYdLWF6HuhHal+enDcnmcr7a4HE64jqOpzLGMA6Z
GhPZ4j7UuxfD1gAbUWzpPMSvj2VA0BMSwrxXzQWL9hYQ/hwOjq0f8ZMrgqfaBxkH
Da+N7VDGjJkAEQEAAYkCPAQYAQgAJhYhBPJEXhpE1E2Bq7OiUI4zjnSLjNaRBQJc
7+cFAhsMBQkJaKSAAAoJEI4zjnSLjNaRG8gQAKUieArTBc7PGc7K1XQlLn0xaeWj
3N20nXu41TuAfhlEFr/9rZT3xvhmxZIVRmHJ2o2e++XVuAMO/zbT/B7e6Vphs08x
DYmJRDc5IgIFjDBqaXzshWZGnp8TINldKp8GQAPlWKyXjNtuMfNjaWZf9ysQSeN7
BiNsEyFqwMHTKkrHZB5tyTSLDBgEb/hYswPn5AbMWSiSZ2YVDc9gIsOhTHGGATZk
jP0eYGJtqlISqAJQnc9pzHJdbVxVotgMJV/lt4PW07d+2CwHkcl1H+GgPs+CsQSi
6WTkC5R0SE9IOGgwZKb17MhIq1QJWbovz3MBJsHovXY1AMHw7ABgANclwuRiYZwY
5Sminja9ddSHSfpxkgDBSjDxAT4pn/+MNnoFkEXN6xX49vVtiUKGdb/Ikgz4yehT
EbpMabs+DwV0IKrJgap2VzXtCamjXVeBr00bn3hNDAnqjt0Y1Ksw5vV1Puwf3OJP
ytHHyw+V+WmbW3HaqgH9a5AYE/h9nCnYoHZa+pJyKTyYsOgM97Aj07OWZc8B0VAu
Qk5eyemV5jvKbmNCGr4Hbg0TduFXvDheg2NqQpA2ALImP7Kl2LpyLTABDBFHUDSu
rqAP9H8uhPhCC8ocbduWeK+inTjDQu/8vS7ztkAIMocumcx25isScHTyMv/wi4B+
DSZsgUTGDJpukSww
=3/8P
-----END PGP PUBLIC KEY BLOCK-----

Fingerprint
F244 5E1A 44D4 4D81 ABB3  A250 8E33 8E74 8B8C D691
v1.5, February 07, 2022