Code Climate Security

I understand the security of your company's source code is extremely important. This page describes select measures we employ to ensure your code is safe. If you have any questions, please don't hesitate to contact us.

-Bryan

—
Bryan Helmkamp
Founder, Code Climate

Physical security

• Systems are hosted in ISO 27001 and FISMA certified data centers managed by Amazon Web Services
• Physical access is strictly controlled both at the perimeter and at building ingress points
• Data centers employ onsite security staff, video surveillance, and intrusion detection systems
• Authorized staff must pass two-factor authentication a minimum of two times to access data center floors
• Data centers are housed in nondescript facilities
• Physical security verified by third-party auditors

For more information see https://aws.amazon.com/security/.

System and operational security

• Security policies and procedures, regularly reviewed as part of the Amazon Web Services SSAE 16 Type II audit process
• Systems access logged and tracked for auditing purposes.
• Regular system patching processes to provide ongoing protection from exploits
• Firewall to prohibit unauthorized system access
• Intrusion detection systems to provide an additional layer of protection against unauthorized system access

We work with multiple respected security firms (like Matasano and Lift Security) to perform regular penetration testing and audits of Code Climate and its infrastructure.

File systems and communication

All access to the Code Climate website is restricted to HTTPS encrypted connections. Private source code is transmitted over SSH connections authenticated with SSH keys and not passwords. Each project added to Code Climate is assigned a unique SSH key which is added to your Git server as a "deploy key". As a static analysis tool, Code Climate never executes source code provided by its users.

User passwords are secured with BCrypt. They are never stored in the database in plaintext and are not readable by staff. Passwords do provide access to the Code Climate website, however, and it is the responsibility of the end user to protect his password with care. Code Climate also offers and recommends optional two-factor authentication for users who would like additional authentication security.

Code Climate never collects or stores passwords for external applications like GitHub, Campfire, HipChat etc. Integration with third-party apps is done via either OAuth or API keys.

Like GitHub.com, we do not encrypt repositories on disk because it would not increase security. The Code Climate website and workers would need to decrypt the source code on demand, slowing down updates and page response times. Any user with shell access to the file system would have access to the decryption routine, thus negating any security it provides. Therefore, we focus on making our machines and network as secure as possible.

Repository data is stored on Code Climate's production servers until deleted by the user. This can be done at anytime by deleting an individual repository or by deleting the account that owns a repository. We do not retroactively delete data from our backups, as we may need to restore data if it was removed accidentally.

Employee access

No Code Climate staff will access private source code unless required for support reasons. In cases where staff must access source code in order to perform support, we will get your explicit consent each time, except when responding to a critical security issue or suspected abuse.

When working a support issue we do our best to respect your privacy as much as possible, we only access the minimum files and settings needed to resolve your issue. Staff does not have direct access to clone your repository.

Finally, it's worth noting that Code Climate's staff is quite small, limiting the number of individuals who would provide you support.

Credit card safety

When you purchase a paid Code Climate subscription, your credit card data is not transmitted through nor stored on our systems. Instead, we depend on Stripe, a company dedicated to this task. Stripe is certified to PCI Service Provider Level 1, the most stringent level of certification available. Stripe's security information is available online.

Reporting a security concern

Your input and feedback on our security as well as responsible disclosure is always appreciated. If you've discovered a security concern, please email us at [email protected]. We'll work with you to make sure we understand the issue and address it. We consider security correspondence and vulnerabilities our highest priorities and will work to address any issues that arise ASAP.

Please act in good faith towards our users' privacy and data during this process. White hat researchers are always appreciated and we won't take legal action against you if act accordingly.

Thanks!

Thank you for helping us keep Code Climate safe. We'd also like to specially thank the following people who have worked with us to resolve vulnerabilities in the past:

• Ishan Anand
• Kamil Sevi
• Manish Kumar Yadav
• Narendra Bhati
• Yogendra Sharma
• Aditya Agrawal
• Zee Shan
• Stefan Sundin
• Harry Gertos

Note: We appreciate reports for any and all security issues, but we reserve listing on this page for people who have disclosed unknown vulnerabilities of high or critical severity, or have helped us in an ongoing manner.