SECURITY.md

Coder welcomes feedback from security researchers and the general public to helpimprove our security. If you believe you have discovered a vulnerability,privacy issue, exposed data, or other security issues in any of our assets, wewant to hear from you. This policy outlines steps for reporting vulnerabilitiesto us, what we expect, what you can expect from us.

You can see the pretty versionhere

If an attacker could fully compromise a Coder installation, they could spin upexpensive workstations, steal valuable credentials, or steal proprietary sourcecode. We take this risk very seriously and employ routine pen testing,vulnerability scanning, and code reviews. We also welcome the contributions fromthe community that helped make this product possible.

Please report security issues tosecurity@coder.com, providing all relevantinformation. The more details you provide, the easier it will be for us totriage and fix the issue.

Our primary concern is around an abuse of the Coder application that allows anattacker to gain access to another users workspace, or spin up unwantedworkspaces.

• DOS/DDOS attacks affecting availability --> While we do support rate limitingof requests, we primarily leave this to the owner of the Coder installation.Our rationale is that a DOS attack only affecting availability is not avaluable target for attackers.
• Abuse of a compromised user credential --> If a user credential is compromisedoutside of the Coder ecosystem, then we consider it beyond the scope of ourapplication. However, if an unprivileged user could escalate their permissionsor gain access to another workspace, that is a cause for concern.
• Vulnerabilities in third party systems --> Vulnerabilities discovered inout-of-scope systems should be reported to the appropriate vendor orapplicable authority.

When working with us, according to this policy, you can expect us to:

• Respond to your report promptly, and work with you to understand and validateyour report;
• Strive to keep you informed about the progress of a vulnerability as it isprocessed;
• Work to remediate discovered vulnerabilities in a timely manner, within ouroperational constraints; and
• Extend Safe Harbor for your vulnerability research that is related to thispolicy.

In participating in our vulnerability disclosure program in good faith, we askthat you:

• Play by the rules, including following this policy and any other relevantagreements. If there is any inconsistency between this policy and any otherapplicable terms, the terms of this policy will prevail;
• Report any vulnerability you’ve discovered promptly;
• Avoid violating the privacy of others, disrupting our systems, destroyingdata, and/or harming user experience;
• Use only the Official Channels to discuss vulnerability information with us;
• Provide us a reasonable amount of time (at least 90 days from the initialreport) to resolve the issue before you disclose it publicly;
• Perform testing only on in-scope systems, and respect systems and activitieswhich are out-of-scope;
• If a vulnerability provides unintended access to data: Limit the amount ofdata you access to the minimum required for effectively demonstrating a Proofof Concept; and cease testing and submit a report immediately if you encounterany user data during testing, such as Personally Identifiable Information(PII), Personal Healthcare Information (PHI), credit card data, or proprietaryinformation;
• You should only interact with test accounts you own or with explicitpermission from
• the account holder; and
• Do not engage in extortion.

There aren’t any published security advisories