CodeRide is built by developers, for developers. We believe security is a community effort and welcome responsible security research that helps protect our users.

• CodeRide MCP Server: github.com/PixdataOrg/coderide-mcp
• CodeRide API: api.coderide.ai
• CodeRide Web App: app.coderide.ai
• CodeRide Website: coderide.ai
• Docker containers and deployment configurations
• Authentication and authorization systems
• Data handling and privacy protections

• Tool injection attacks (malicious tool definitions)
• MCP protocol manipulation (message tampering, protocol violations)
• Unauthorized tool execution (bypassing access controls)
• Context poisoning attacks (injecting malicious context data)
• Resource exhaustion through tool abuse
• Cross-tool data leakage between MCP sessions
• Input validation bypasses in tool parameters
• MCP transport security (stdio, HTTP, WebSocket)

• Social engineering attacks against our team
• Physical attacks against our infrastructure
• Third-party services we integrate with (unless we've modified them)
• Denial of Service (DoS/DDoS) attacks
• Spam or content issues

• Vulnerabilities in unmodified third-party dependencies
• Issues requiring physical access to user devices
• Vulnerabilities requiring extensive user interaction beyond normal usage
• Theoretical attacks without practical exploitation paths
• Issues in client-side MCP implementations we don't control
• Vulnerabilities that require admin/root access to the host system
• Issues that only affect unsupported or end-of-life software versions
• Rate limiting bypasses that don't lead to resource exhaustion
• Missing security headers that don't lead to exploitable vulnerabilities

Container escapes, RCE, authentication bypasses, data breaches

• Early Adopter lifetime access (€119 value)
• Public recognition in humans.txt, GitHub, and blog post
• Direct line to our security team
• Special "Security Hero" status in our community

Privilege escalation, injection flaws, sensitive data exposure

• 3 months Pro plan (€87 value)
• Public recognition in humans.txt and GitHub
• Security team contact

Authorization flaws, information disclosure, business logic errors

• 3 months Creator plan (€27 value)
• Public recognition with permission
• Community thanks

Configuration issues, minor information leaks, UI security issues

• 1 month Creator plan (€9 value)
• Public recognition with permission
• Our genuine gratitude

Security best practices, suggestions, documentation improvements

• Public recognition with permission
• Community contributor status
• Direct feedback channel

• Make every effort to avoid privacy violations and data destruction
• Only interact with accounts you own or with explicit permission
• Don't spam, social engineer, or physically attack our team
• Report vulnerabilities promptly after discovery
• Give us reasonable time to respond (we aim for 48-72 hours)

• Clear description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Proof of concept (if applicable)
• Suggested remediation (if you have ideas)

• Email: hello+security@coderide.ai
• Subject: [SECURITY] Brief description
• Use PGP if handling sensitive details: [PGP key if you have one]

• Initial response: Within 72 hours
• Severity assessment: Within 1 week
• Resolution timeline: Based on complexity
• Public disclosure: After fix is deployed (coordinated with you)
• Reward delivery: Within 48 hours of issue resolution

We're a small but growing team building something meaningful for developers. We especially value:

• Educational spirit - Help us learn and grow
• Community focus - Make CodeRide safer for everyone
• Professional approach - Clear communication and responsible disclosure
• Long-term thinking - Building relationships, not just finding bugs

Outstanding security researchers may be invited to:

• Beta test new security features
• Advisory discussions on security architecture
• Community ambassador opportunities
• Conference/blog mentions (with permission)

We support security research conducted in good faith. We will not pursue legal action against researchers who:

• Follow these guidelines
• Act in good faith
• Don't violate laws or harm users
• Coordinate disclosure with our team

Questions? Email us at hello+security@coderide.ai
Last Updated: August 25, 2025
Program Status: Active

"Security is not a feature, it's a foundation. Thank you for helping us build on solid ground." - The CodeRide Team

...

Want to join our Security Hall of Fame? We're always looking for responsible security researchers to help make CodeRide safer for developers worldwide.