Security at Bunnyshell


Table of contents

Security Overview

Responsible Disclosure Policy

Security Overview

At Bunnyshell, data security is a critical aspect and we recognize the importance of collaborating with proficient security researchers to detect any vulnerabilities in our technology. If you come across any security vulnerability in Bunnyshell's service, please do not hesitate to inform us so we can take prompt action and address the issue together.

Data Security

Bunnyshell encrypts data at rest and in transit for all of our customers. We use tools like Hashicorp Vault to manage encryption keys for security in line with industry best practices.

Application Security

Bunnyshell regularly engages security experts for third-party penetration tests. Our penetration testers evaluate the running application, and the deployed environment.

Bunnyshell also uses high-quality static analysis tooling provided by Snyk to secure our product at every step of the development process.

Infrastructure Security

Bunnyshell uses Amazon Web Services to host our application. We make use of the security products embedded within the AWS ecosystem, such as GuardDuty.

Responsible Disclosure Policy

Last Updated: January 20, 2023

Disclosure Policy

  • If you believe you've discovered a potential vulnerability, please let us know by emailing us at We will acknowledge your email within one week.
  • It is prohibited to keep, distribute, expose or destroy Bunnyshell or customer data. If you come across any Personally Identifiable Information (PII), you should stop your activity, delete the related data from your system, and immediately inform Bunnyshell.
  • Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Bunnyshell service. Please only interact with accounts you own or for which you have explicit permission from the account holder.
  • Before sharing any reported issue with a third party or disclosing it publicly, allow Bunnyshell a reasonable amount of time to rectify the issue.

Excluded Vulnerabilities

Our Responsible Disclosure Program has certain vulnerabilities that are not included in its scope.

  • Denial-of-Service (DoS) attacks
  • Social engineering or phishing of Bunnyshell employees or contractors
  • Any attacks against Bunnyshell's physical property
  • Resource exhaustion attacks
  • Spamming

This policy applies to Bunnyshell Application hosted at and to any other subdomains or services associated with the Bunnyshell App. We do not accept reports for vulnerabilities solely affecting our marketing website ( which contains no sensitive data.

Submission format

When submitting a report of a possible vulnerability, kindly provide a comprehensive summary of the vulnerability, including the target affected, steps taken, tools used and any relevant evidence (screenshots are highly appreciated).

Frequently asked questions

Everything you need to know about the product and billing.

What is Environments as a Service (EaaS)?
EaaS is a service where the application and environment run together while undergoing version control, and it uses automation to perform server configuration for specific applications.
What is an Ephemeral Environment?
Ephemeral environments are usually environments that live for the life of a Pull Request or are created manually to preview changes, showcase demos, or test new configurations.
What are the benefits of EaaS?
Using a fast and capable EaaS can improve development speed by at least two dimensions by removing rework and decreasing bottlenecks.
Is Bunnyshell SOC 2 Compliant?
Bunnyshell has successfully achieved SOC 2 Type I compliance. We have successfully completed a SOC 2 Type I audit, which confirms that our systems and processes meet the rigorous standards set forth by the SOC 2 framework for security, availability, processing integrity, confidentiality, and privacy.
How to integrate Bunnyshell with common CI/CD and DevOps tools?
Bunnyshell includes an extensive REST API for your existing CI/CD and DevOps tools enabling you to easily deploy environments directly from your own release pipeline

Still have questions?

Can't find the answer you're looking for? Please chat to our friendly team.

Get in touch