Coderabbit logo
menu
Coderabbit logo
close menu
EnterpriseCustomersPricingBlog
Log InGet a free trial

Vulnerability Disclosure Program

Overview

CodeRabbit is committed to ensuring the security of our systems and protecting our users' data. We welcome security researchers to responsibly disclose any security vulnerabilities they discover.

Scope of Systems

This Policy covers all internet-facing information systems, applications, or websites owned, operated, or controlled by us, including any web or mobile applications hosted on those websites, including the CodeRabbit domain and related subdomains (collectively, “Information Systems”). This Policy also does not cover any information systems, websites, or applications that are owned, operated, or controlled by any third party, including any service provider or contractor to the Company, even where under an CodeRabbit domain. You should comply with the responsible disclosure efforts for those other systems, websites, and applications.

Scope of Vulnerabilities

This Policy covers technical vulnerabilities that potentially exist on our Information Systems such as misconfigurations, CSRFs or cross site request forgeries, privilege escalation attacks, SQL Injection, XSS, and directory traversal attacks.

This Policy excludes the following vulnerabilities, subject to CodeRabbit’s discretion:

  • general security, email best practices, or missing best practices in SSL/TLS configurations without a working proof-of-concept,
  • physical compromise or intrusions,
  • rate limiting or brute-force issues on non-authenticated endpoints,
  • compromises involving an insider,
  • social engineering (including phishing attempts),
  • reflected file downloads,
  • account takeovers (including any brute force attacks on accounts that are not yours),
  • red-teaming, adversarial testing of our services,
  • content issues with CodeRabbit bot and responses,
  • denial of service attacks,
  • clickjacking on pages with no sensitive actions,
  • missing HttpOnly or Secure flags on cookies,
  • dependency hijacking, or
  • any widely publicized zero-day vulnerabilities that have no patch or have only had a patch available for less than 30 days

Reporting a Vulnerability

If you believe you've found a security vulnerability, please:

  1. Email us at [email protected] with a detailed description of the vulnerability
  2. Include steps to reproduce the issue
  3. Provide any proof-of-concept code or screenshots if applicable
  4. Avoid accessing or modifying user data
  5. Do not publicly disclose the issue until we've had a chance to address it

What to Include in Your Report

  • Description of the potential impact
  • Attack scenario (if applicable)
  • The type of vulnerability
  • Technical details and reproducible steps
  • Affected URLs, parameters, or endpoints

Our Commitment

All good-faith reports will be taken seriously. Upon promptly and responsibly reporting any potential vulnerability you have discovered, you can expect us to promptly evaluate your findings. If we determine (at our sole discretion) that a vulnerability exists, you can expect us to validate the existence of the vulnerability, to confirm the same with you, and to promptly take appropriate steps to address, mitigate, or remediate the vulnerability to the extent feasible.

If you provide your contact information, our representatives may contact you for further information. Additionally, we will:

  • Protect your name and contact information and will not disclose such information without your consent, unless required by lawful legal process, law or court order;
  • Refrain from taking legal action as further set forth in the Safe Harbor section below;
  • With your permission, attribute your name and contribution on any public disclosure we make, to the extent we choose to make a public disclosure;
  • Acknowledge your submission within three (3) business days; and
  • Make best efforts to keep you updated and promptly complete our investigation and, if applicable, confirm our remediation strategy within an established timeline.

Vulnerability Scoring

Our vulnerability scoring system helps determine the severity and corresponding reward for reported vulnerabilities. While inspired by CVSS 3.0, our scoring system is customized to better align with our business context, specific security priorities and infrastructure.

Scoring Components

  • Base Score Factors:
    • Attack Vector (Network, Adjacent, Local, Physical)
    • Privileges Required (None, Low, High)
    • User Interaction (None, Required)
    • Impact Scope (Changed, Unchanged)
  • Impact Metrics:
    • Confidentiality Impact (High, Low, None)
    • Integrity Impact (High, Low, None)
    • Availability Impact (High, Low, None)

Scoring Scale

Our scoring scale ranges from 0.0 to 10.0, with severity levels mapped as follows:

  • Critical: 9.0 - 10.0
  • High: 7.0 - 8.9
  • Medium: 4.0 - 6.9
  • Low: 0.1 - 3.9

Score Calculation

The final score is calculated by evaluating:

  1. Base Score: Fundamental characteristics of the vulnerability
  2. Temporal Score: Current state of exploit techniques and available fixes
  3. Environmental Score: Specific impact on CodeRabbit's infrastructure

While our scoring system shares common principles with CVSS 3.0, we've adapted it to better reflect:

  • Our specific technology stack and architecture
  • Potential impact on our users and their data
  • Business-critical functions and services
  • Real-world exploitability in our context

Rewards

We offer monetary rewards for responsibly disclosed vulnerabilities based on severity:

  • Critical Severity: $5,000 - $10,000
  • High Severity: $2,000 - $4,000
  • Medium Severity: $500 - $1,500
  • Low Severity: $100 - $400

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state or national laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

To qualify for safe harbor, you must:

  • Make a good faith effort to avoid privacy violations, and avoid causing any harm to the Information Systems, including avoiding any data destruction, use, access, or acquisition; disruption of Information - - Systems or any customer user experience (including initiating denial of service attacks or using tools that generate substantial amounts of traffic); violation or compromise of the privacy or security of our customers, employees, or other users; or other illegal or harmful activities.
  • Avoid exploiting any vulnerability beyond what is minimally required to reasonably prove that such potential vulnerability exists, including avoiding accessing, acquiring, or using data that may be accessible from exploiting the vulnerability.
  • Follow this policy and any other relevant agreements. In case of inconsistency, this policy takes precedence.
  • Only interact with accounts you own or with explicit permission of the account holder
  • Not exploit a security issue you discover for any reason other than testing
  • Report any vulnerability you've discovered promptly
  • Not, as a condition of disclosure, require payment or compensation, or otherwise make threats to disclose the vulnerability in an irresponsible manner.
  • Avoid disclosing the existence of or any details relating to the discovered vulnerability to any third party or to the public until you have received prior written approval from us.
  • Not access, modify, or use data belonging to others, including confidential CodeRabbit data. If a vulnerability exposes such data, stop testing, submit a report immediately, and delete all copies of the information.
  • Avoid accessing, acquiring, or using the content of any communications, data, or information transmitted or stored on the Information Systems, unless such access is inadvertent.
  • Not exfiltrate, download, or otherwise retain any data that you collect. If you inadvertently access any data, you will report such access to us as part of your report.
  • Disclosure of vulnerabilities to CodeRabbit must be unconditional. Do not engage in extortion, threats, or other tactics to elicit a response under duress. CodeRabbit denies Safe Harbor for vulnerability disclosure conducted under such circumstances.
  • Not be listed on the Specially Designated Nationals and Blocked Persons List as published by the U.S. Treasury Department of Office Foreign Assets Control (“OFAC”) or any other sanctions list, or reside in any country that has been sanctioned by the United States Government.

The safe harbor applies to:

  • Security research conducted on systems and assets within our scope
  • Any issues discovered accidentally during your security research
  • Vulnerabilities discovered by automated tools (if verified manually)

Safe harbor does not apply to:

  • Tests against systems outside our scope
  • Social engineering attacks against our employees
  • Physical attempts to access our offices or data centers
  • Research conducted in a manner that could impact other users or systems

We reserve the right to modify the safe harbor terms. However, all activities conducted under previous terms will remain protected.

Contact

For any questions about this program, please contact us at [email protected]

Note: This vulnerability disclosure program is subject to change. We reserve the right to modify these terms at any time.