🔐 Security
Welcome to the Security space!
Purpose
The primary role of the Security Team is to identify the risks the company faces and reduce them to an acceptable level. We ensure that security best practices are followed, safeguard the security of our applications, and proactively address new vulnerabilities and incidents. Our goal is to maintain the confidentiality, integrity, and availability of our services.
While the Security Team's mission is to safeguard both Rocket.Chat and our customers, this goal can only be realized through collaboration, making security everyone's responsibility across the organization.
Structure
The structure of the Security Team can be divided into four main areas. While we do have specialists in each of these areas, it doesn’t mean that an Application Security Engineer can’t assist with GRC or Offensive Security, nor that an Offensive Security Engineer can’t support Incident Response, for example. These are simply the areas of focus for our Security Team, and as a team, we collaborate with each other as much as we can.
The activities of each area are divided as follows:
Offensive Security | Defensive Security | Application Security | Governance, Risk, and Compliance (GRC) |
---|---|---|---|
At Rocket.Chat, Red Team and Offensive Security are used interchangeably. It encompasses:
| At Rocket.Chat, Blue Team and Defensive Security are also used interchangeably. It encompasses:
| Application Security or simply AppSec encompasses:
| GRC encompasses:
|
Communication and Information
Discussion Channels
RC security channel - day-to-day conversation, invite on request
RC important - company-wide announcements, including security updates
RC-security-team - team-internal conversations, all team members are added during onboarding
Mailing Lists
Compliance
Vulnerability Disclosure
Policies
Playbooks
Playbooks help us to standardize certain processes around security and enable transparency on how we work. The following are the security playbooks.
Refer to Security Playbooks