Security & Responsible Disclosure
How CodePus protects your code, your credentials and your team.
Our security posture
CodePus encrypts data in transit with TLS 1.3 and at rest with AES-256. Tenant data is isolated per organisation. We follow the principle of least privilege for all internal access and rotate signing keys quarterly.
- TLS 1.3 with HSTS for every public endpoint
- At-rest encryption (AES-256) for usage records, secrets and model traces
- OAuth 2.0 + PKCE + RFC 8628 device-code flow for IDE login
- SSO (SAML 2.0 / OIDC) and SCIM 2.0 for Enterprise plans
- Per-request signing of update artefacts (sha256 + https-only)
Compliance
We continuously align with industry standards.
- SOC 2 Type II — audit in progress
- GDPR & PIPL — data export and deletion endpoints exposed under /dashboard/security
- ISO/IEC 27001 — controls mapped, certification roadmap published below
Reporting a vulnerability
We welcome reports from researchers. Please follow responsible disclosure: do not publicly disclose the issue until we have had a reasonable time to fix it (typically 90 days).
- service@codepus.ai
PGP fingerprint: 4C5E 1F0B 9E1A 7D2A 3F4B 6C7D 8E9F 0A1B 2C3D 4E5F- In scope: codepus.ai, *.codepus.ai, the IDE binary distribution and the open-source repository.
- Out of scope: clickjacking on unauthenticated marketing pages, missing security headers without proven impact, automated scanner output.
- Bounties of $100–$10,000 USD are awarded for in-scope, reproducible vulnerabilities at the discretion of the security team.
Bug bounty hall of fame
We publish researcher acknowledgements with consent after the issue is resolved. Email service@codepus.ai if you would like to be listed.