Security

Take a look under the hood at the security controls we use to protect your data and infrastructure.

Security at PulseHA

PulseHA is a Zero Trust Network Access (ZTNA) platform built on the principle of "never trust, always verify." Every connection is authenticated, authorized, and
encrypted—regardless of network location.

Security Architecture

Zero Trust Principles

• No implicit trust - Network location grants no privileges
• Continuous verification - Trust is evaluated on every request
• Least privilege - Users access only what they need
• Assume breach - Defense in depth at every layer

Encryption

Agent Tunnel - WireGuard (ChaCha20, Curve25519, BLAKE2s, SipHash24).
Control Plane - TLS 1.3.
Gateway Authentication - mTLS with 4096-bit RSA CA.
Certificates - Short-lived (30 days), SPIFFE-based identity.

Private keys are generated on-device and never transmitted.

Authentication

Gateway Authentication

Gateways authenticate via mutual TLS with SPIFFE URI Subject Alternative Names (spiffe://pulseha.com/tenant/{id}/gateway/{id} ). Certificates are validated for revocation and expiration.

Agent Authentication

Agents use OAuth 2.0 Device Authorization Flow. Tokens are validated against the control plane on every request.

Enterprise SSO

• SAML 2.0 - Full service provider implementation
• SCIM 2.0 - Automated user/group provisioning with bcrypt-hashed tokens
• Identity Providers - Google, Azure AD, Okta, GitHub, custom OIDC

Vulnerability Disclosure

We welcome responsible security research.

Contact: security@pulseha.com

Response SLA:

• Critical: 24 hours
• High: 48 hours
• Medium/Low: 72 hours

Please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact assessment

We will not pursue legal action against researchers acting in good faith.

Product binary signature verification

PulseHA Authenticode signs Microsoft Windows executables and code signs Apple macOS executables.

Apple macOS

Use Apple's codesign utility to verify the integrity of an Apple macOS executable and pay attention to the TeamIdentifier field which should match the one below.

codesign --verify -d --verbose=2 /usr/local/bin/pulsehad
 
Executable=/usr/local/bin/pulsehad
Identifier=pulsehad
...
Authority=Developer ID Application: PulseHA Ltd. (xx)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
...
TeamIdentifier=xx
...

Microsoft Windows

Windows binaries may be signed by certificates with thumbprints matching xxx.

Use Microsoft's Get-AuthenticodeSignature cmdlet to verify the integrity of a Microsoft Windows executable. For example:

(Get-AuthenticodeSignature -FilePath terraform.exe).SignerCertificate | Format-List
 
Subject      : CN="PulseHA Ltd", O="PulseHA Ltd", L=London, S=London, C=UK
Issuer       : CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Thumbprint   : 
FriendlyName :
NotBefore    : 16/01/2020 00:00:00
NotAfter     : 20/01/2023 12:00:00
Extensions   : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
               System.Security.Cryptography.Oid...}