Hello,
How often does Distill do 3rd party/OSS library scanning for license and security vulnerabilities? And are you open source?
Thank you!
@jsup distill is closed source and not reviewed by a 3rd party. do you have any specific concerns or are you looking for certifications like soc?
@ajitk Thank you for getting back to me.
While I’d absolutely love something like a SOC2 cert report, I was just trying to see if you regularly scan for OSS vulns or have SLAs for remediating findings to get an idea of the security posture of this product. I have some team members interested in Distill so I am doing a light security review.
@jsup Thanks for the clarification — that’s completely reasonable, and we appreciate you doing due diligence before rolling this out more broadly.
While Distill is a closed-source product and we don’t currently publish formal certifications like SOC 2, we do take dependency security seriously:
-
We regularly review and monitor third-party / OSS dependencies as part of our development and release process.
-
Dependency updates and security advisories are evaluated as they arise, and known vulnerabilities are prioritized and remediated based on severity and impact.
-
We don’t publicly define or publish formal SLAs for vulnerability remediation, but addressing security issues in dependencies is an ongoing part of our engineering workflow.
That said, we understand that for some organizations, formal compliance reports or externally published security attestations are required. If your team needs more structured information (for example, to answer an internal security questionnaire), you’re welcome to reach out to us directly at support@distill.io, and we can share what’s appropriate on a case-by-case basis.
Thanks again for the thoughtful questions — happy to clarify further if needed.
1 Like