Skip to content
sudodudes_
[root@sudodudes ~]# Security

How we run our own shop.

We hold ourselves to the standard we ask of our clients. This page is a plain-English summary; deeper artifacts (SoA, pen-test letters, sub-processor list) are available under MNDA.

Hosting

sudodudes infrastructure runs on hardware we own and physically control. We do not use third-party SaaS for storage of client-sensitive evidence beyond what the engagement requires; what we do store is encrypted at rest with per-tenant keys and segmented per client.

Access

SSO with mandatory hardware-key second factor (no SMS, no TOTP). Least-privilege roles. All access is logged and reviewed weekly. Production access requires a peer-approved change request.

Engineering

Code is reviewed before merge. Dependency and container images are scanned on every push. Secrets live in a managed vault, never in repos. We run continuous monitoring on our own perimeter with the same posture we recommend to clients.

Incident response

24/7 on-call rotation. Documented runbooks. Clients are notified within four hours of a confirmed incident that affects them, with a written post-mortem within ten business days.

Responsible disclosure

Found a vulnerability in our infrastructure? Email [email protected]. Good-faith research is welcomed; we will not pursue legal action against researchers acting in good faith and within the scope below.

  • In scope: *.sudodudes.com
  • Out of scope: social engineering, physical, denial-of-service, anything against client tenants
  • Disclosure window: 90 days from acknowledgement, extended by agreement