Our response to the January 2025 Kudelski Security vulnerability disclosure: Action & continuous improvement

No customer data was accessed and the vulnerability was quickly remediated within hours of disclosure

As the CEO, I want to address recent reports of a security vulnerability discovered in January 2025 by Kudelski Security researchers and share our immediate response, the steps we've taken since, and our ongoing commitment to security.

What happened

On January 24, 2025, security researchers from Kudelski Security disclosed a vulnerability to us through our Vulnerability Disclosure Program (VDP). The researchers identified that Rubocop, one of our tools, was running outside our secure sandbox environment — a configuration that deviated from our standard security protocols.

We immediately initiated an investigation and were able to remediate this issue within hours through our rapid incident response protocol. We confirmed the issue disclosed by Kudelski Security, confirmed that there was no evidence of any other unauthorized access, identified the root cause, implemented a fix, and, as described below, we enhanced our comprehensive security protocols to prevent similar incidents.

To be clear: We use secure sandboxes as standard practice across our infrastructure. This was an oversight on our part and we take full responsibility for it.

Our immediate response

Upon receiving the disclosure, our security team activated our incident response protocol:

• Within 1 hour: We confirmed the vulnerability and began immediate remediation by first disabling Rubocop until we could fix the vulnerability.

• Within 3 hours: We completed a full rotation of all relevant credentials and secrets.

• Within 12 hours: We deployed a comprehensive fix to production, relocating Rubocop into our secure sandbox environment.

• Additionally, we:

  • Conducted a thorough audit of all systems to ensure no other services were running outside our sandbox infrastructure.

  • Automated sandbox enforcement.

  • Introduced enhanced deployment gates.

  • Audited and updated our mandatory security training for all engineers.

We promptly investigated to identify any potential unauthorized access. The investigation identified no evidence that any customer data was accessed or that any malicious activity occurred.

Why this matters to us

Security isn't just a checkbox for us; it's fundamental to our mission. While our services run within secure sandboxes as designed, in this case, the investigation determined that Rubocop had been deployed outside this security boundary. This deviation from our standards, while contained quickly and without customer impact, is unacceptable to us. We took action immediately to ensure it wouldn’t happen again.

What we're doing differently

1. Comprehensive sandbox audit: We immediately completed a full review of ALL services to ensure 100% compliance with our sandbox requirements. Rubocop was the only service found outside our sandbox environment and this has been rectified.

2. Automated sandbox enforcement: We immediately implemented automated checks that have since prevented any service from deploying outside our security boundaries.

3. Enhanced deployment gates: Every deployment now requires supplemental explicit sandbox verification before reaching production.

4. Updated trainings: We also audited and updated our mandatory security training for all engineers.

Our VDP program: Security through collaboration

This vulnerability disclosure exemplifies why we've invested heavily in building a Vulnerability Disclosure Program. It features:

• Active researcher engagement: We maintain ongoing relationships with multiple security researchers worldwide.

• Competitive rewards: Top-tier bounties that recognize the value of security research.

• Fast response times: Average first response under 24 hours, resolution within 7 days.

• Clear communication: Dedicated security team providing regular updates throughout the disclosure process.

The value of responsible disclosure

Kudelski Security's professional approach allowed us to address this vulnerability before it could be exploited maliciously. This is exactly how the security ecosystem should work — researchers and companies collaborating to improve security for everyone.

We're grateful for their professionalism and encourage all security researchers to engage with us through our VDP program at https://vdp.coderabbit.ai/. Whether you're an independent researcher or part of an established firm, we value your contributions to our security.

Our commitment

To our users, we will continue to:

• Maintain secure sandboxes as our default security boundary for all services

• Invest heavily in security infrastructure and tooling

• Run one of the industry's most comprehensive VDP programs

• Actively engage and reward security researchers

• Learn from every vulnerability disclosure and incident, no matter how small

• Hold ourselves to the highest security standards

• Maintain compliance with industry security standards like SOC 2, type 2

We're grateful to Kudelski Security for their research and committed to our users who trust us with their data.

We welcome any questions or concerns at security@coderabbit.ai or through our VDP portal at https://vdp.coderabbit.ai/.