Security & Responsible Disclosure

How CodePus protects your code, your credentials and your team.

Our security posture

CodePus encrypts data in transit with TLS 1.3 and at rest with AES-256. Tenant data is isolated per organisation. We follow the principle of least privilege for all internal access and rotate signing keys quarterly.

  • TLS 1.3 with HSTS for every public endpoint
  • At-rest encryption (AES-256) for usage records, secrets and model traces
  • OAuth 2.0 + PKCE + RFC 8628 device-code flow for IDE login
  • SSO (SAML 2.0 / OIDC) and SCIM 2.0 for Enterprise plans
  • Per-request signing of update artefacts (sha256 + https-only)

Compliance

We continuously align with industry standards.

  • SOC 2 Type II — audit in progress
  • GDPR & PIPL — data export and deletion endpoints exposed under /dashboard/security
  • ISO/IEC 27001 — controls mapped, certification roadmap published below

Reporting a vulnerability

We welcome reports from researchers. Please follow responsible disclosure: do not publicly disclose the issue until we have had a reasonable time to fix it (typically 90 days).

  • service@codepus.ai
  • PGP fingerprint: 4C5E 1F0B 9E1A 7D2A 3F4B 6C7D 8E9F 0A1B 2C3D 4E5F
  • In scope: codepus.ai, *.codepus.ai, the IDE binary distribution and the open-source repository.
  • Out of scope: clickjacking on unauthenticated marketing pages, missing security headers without proven impact, automated scanner output.
  • Bounties of $100–$10,000 USD are awarded for in-scope, reproducible vulnerabilities at the discretion of the security team.

Bug bounty hall of fame

We publish researcher acknowledgements with consent after the issue is resolved. Email service@codepus.ai if you would like to be listed.