Cyber Security Assessment - ISO27001 / SOC-2 / Compliance and Privacy Statement

[Danielku15]

Hey @DanPristupov

I'm a happy long-term Fork User and pushed a while ago that we buy a range of licenses for our Company use across teams. Functionally we are very happy with it and there is not a single day where we are not using fork heavily.

Unfortunately our company did a security assessment and considered Fork as a security risk due to the lack of insights in compliance and processes. There is a risk of intellectual property leakage due to the lack of insight into the software itself (closed source) and no official statements around this topic.

Your website unfortunately doesn't give much insights in the origin of the software or potential compliance topics. It feels a bit abandoned and raises the concerns during such cyber security evaluations.

I am personally not very happy on that decision but we are a bit lost in argumentation without your help.

In the interest of us staying with Fork, and maybe to broaden your customer base there would be a need for an official compliance and privacy statement.

• Do you have an ISO-27001 or SOC-2 Compliance certification which could establish a certain level of trust between companies and Fork?
• Can you publish and provide more official Compliance and Privacy statements around Fork?
• Can you provide more official documents and statements about the country of origin and legal oblications with the developments done on Fork which could establish further trust?

Looking forward to hear your opinion on that topic.

Best Regards Daniel

[DanPristupov]

Do you have an ISO-27001 or SOC-2 Compliance certification which could establish a certain level of trust between companies and Fork?

No, we don't have.

Can you publish and provide more official Compliance and Privacy statements around Fork?

What is privacy statement? What exactly do you expect us to publish?

Can you provide more official documents and statements about the country of origin and legal oblications with the developments done on Fork which could establish further trust?

https://fork.dev/license states that we are from Czech Republic and license is governed by the laws of Czech Republic.

P.S. Fork is just a wrapper around git. Does git have ISO-27001 compliance certification? I couldn't find it. P.P.S. A slighly related issue in the Mac issue tracker: https://github.com/fork-dev/Tracker/issues/2046

[DanPristupov]

I just checked.

ISO 27001 certification provides an independent attestation of a set of documented practices and procedures that cover a wide range of customer data protection aspects

Fork doesn't gather any customer data. It's a purely local application. We don't have telemetry and we don't even have Google Analytics on the website. There is no data to protect on our side.

[Danielku15]

Thanks for your fast reply. We're also not fully sure (yet) what level of confirmation is enough for our lawyers and compliance departments to be satisfied and approve Git Fork. at this time we try to gather as much information and statements possible to approache them with some foundation to discuss and negotiate.

I think the "luxury version" of what they want to see is something like this:

• https://www.gitkraken.com/privacy
• https://www.gitkraken.com/privacy-gij

I think the "license agreement" is already a good step forward in terms of "legal situation".

P.S. thanks a lot again for your effort and the software you are providing. I will keep you in the loop how things are evolving on our side and hopefully this discussion and information we will discuss here will also become a good reference for other companies to go through this process (hoping we manage to get green light there)-

[Danielku15]

@DanPristupov @TanyaPristupova I'm trying to warm up this topic again as discussions are again progressing. I hope you see this message in the closed issue.

Would it be possible that you setup an official (signed?) Privacy Policy statement about your practices which you publish beside your license agreement. Here some guidance on what could/should be in this statement.

• On what platform you do your development? I assume you have private repositories in GitHub.com where you develop and build your software? This information would give confidence on how the source code and development infrastructure is protected. It allows to judge the source code and build pipeline integrity to prevent tampering by potential 3rd parties.
• An official statement that there is no kind of data collection or analytics embedded within the provided software or website (like you wrote here).
• Provide an Software Bill of Materials (SBOM) for your software describing any potential 3rd party libraries integrated? This allows checking whether a software might suffer from vulnerabilities. For the .net windows version you might even get this out of github: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository not sure about iOS though.
• Describe how and where the "customer data" and "payment" aspects are stored and protected. I assume there is some kind of backend service for the license checking aspects where you enter e-mail and license keys. AFAIK you use paddle.com for payment modalities, but still there is a licensing backend where you store at least some details?

The format could be similar to https://www.gitkraken.com/privacy Maybe you have some lawyer contacts already who could help you setting this up?

They also mentioned that if we can get some "agreement" signed by you this would also make things easier to get approval. I am still trying to find out what exact things they need to have confirmed to get back the approval for using Fork.

Unfortunately they are rather "legal and compliance" people, not devs. So their understanding of how the Fork works and "just uses git.exe" is limited.

[DanPristupov]

On what platform you do your development?

This is private information.

An official statement that there is no kind of data collection or analytics embedded within the provided software or website (like you wrote here).

I can repeat this in the private email, if you want.

Provide an Software Bill of Materials (SBOM) for your software describing any potential 3rd party libraries integrated?

You can see the list of 3rd party libraries in Fork: Fork -> About -> Legal.

Describe how and where the "customer data" and "payment" aspects are stored and protected.

We use Paddle.com as a payment processor (https://www.paddle.com/legal/privacy)

Would it be possible that you setup an official (signed?) Privacy Policy statement about your practices which you publish beside your license agreement. ... Maybe you have some lawyer contacts already who could help you setting this up?

No, we will not do that. We don't have tens of people like GitKraken and Tanya and I are full time busy improving Fork. I personally work 5 days 8h/day and 4h/day during weekends. We have lots of complicated problems and really don't have a time for that. BTW, that's why Fork is one-time purchase, not a subscription.

As a side note. In the end, Fork is just a tool. Sometimes we can't use a particular tool (because of some reasons) and use something else.

[Danielku15]

Thanks for your patience and time on that matter.

This is private information.

Let me maybe rephrase / give some more background on this point. The question behind this is: How do you ensure a secure software development lifecycle which cannot be tampered and hijacked by attackers?

If you are on GitHub this would establish already a good level of trust as GitHub takes good measures to prevent access breaches to private areas. If you have a self-hosted server somewhere our security compliance department expects a statement how you ensure this is not compromised. As you are not having an official ISO-27001 or SOC-2 compliance certification some other level of assurance is expected by them.

I can repeat this in the private email, if you want.

I think our security compliance department expects something which is legally binding and/or following some proper formalities. Hence an "officially published" document in a similar format as your License agreement is expected by them.

You can see the list of 3rd party libraries in Fork: Fork -> About -> Legal.

While this is certainly good for human reading and OSS license obligations, there are standardized SBOM file formats which have further use in the security domain. The SBOM files allow automatic detection of vulnerabilities within the corporate network. e.g. we know Fork 2.1.0.0 is installed, Fork uses AvalonEdit 6.3.0.90. If AvalonEdit publishes a CVE for this version, we know that our systems might be vulnerable and and update/hotfix is needed.

Remember the log4j incident where a big challenge was to even find out what applications are using log4j? There is a big market trend around supply chain management to avoid future security incidents.

See:

• https://spdx.github.io/spdx-spec/v2.3/introduction/
• https://medium.com/@interlynkblog/eu-cra-and-sbom-5100c55752fa
• https://bell-sw.com/blog/u-s-and-eu-regulations-are-demanding-a-software-bill-of-materials-sbom/
• https://github.com/CycloneDX/cyclonedx-cocoapods
• https://github.com/microsoft/sbom-tool

No, we will not do that.

It's a risky statement for the future of Fork 😞. Let me elaborate: A personal statement is unfortunately not enough "trust" for a company. For a software being sold in the market, a privacy statement is quite important to establish trust and set clear rules and laws which are being followed. Considering GDPR and the EU Cyber Resilience Act its not getting easier for developers to publish software.

Luckily creating such a privacy policy its not a continuous effort unless you are changing your habbits. It is a similar effort like your license agreement which is a similar legally assuring document. Especially as you're not collecting any data I'd expect things to be fairly easy to set up. I only brought in the lawyer part as some have specialized on that matters and can give you the official "OK" that you do things right.

See:

• https://www.termsfeed.com/blog/privacy-policy-mandatory-law/

I personally work 5 days 8h/day and 4h/day during weekends. We have lots of complicated problems and really don't have a time for that.

I understand that its demanding job to develop such a software and I highly appreciate your work. ItsÄ tough in the modern world with all these legal obligations to publish and sell software. Open Source Projects might have it a bit easier as things anyhow happen publicly exposed and there are not many legal obligations according ot the OSS licenses.

As a side note. In the end, Fork is just a tool. Sometimes we can't use a particular tool (because of some reasons) and use something else.

And it is an amazing tool which I really don't want to miss in my daily developer life. That's why I want to put in this energy to not be forced switch to competitors but clarify any bit to make our security departments happy. I believe this is a topic which will not only make our company (and devs) happy, but also might help establish trust with future customers.

PS: any statement on the licensing backend where customer data (e-mails) might be stored? No exact technical details, but to be able to judge the security aspects to clarify.

PPS: thanks a lot for your hard work on Fork. I've used many Git UIs over the years, but none can compete with Fork in terms of usability and speed. No matter the outcome, I will stay a happy Fork user in my private world 🤘

[gamebird92]

Since our company is switching from SVN to git our team of programmers came across fork and wants to use it.

We are located in EU and affected by the new NIS2-law. I have read trough the license information on your website and sadly that is not enough, unless there will be some changes as @Danielku15 mentioned I can not allow to use fork in our company.