Coder and the code-server team want to keep the code-server project secure and safe for end-users.
We use the following tools to help us stay on top of vulnerability mitigation.
Audit for vulnerabilitiesstep in
ci.yaml) on PRs into the default branch and fails CI if moderate or higher vulnerabilities (see the
audit.shscript) are present.
Coder sponsors the development and maintenance of the code-server project. We will fix security issues within 90 days of receiving a report and publish the fix in a subsequent release. The code-server project does not provide backports or patch releases for security issues at this time.
To report a vulnerability, please send an email to security[@]coder.com, and our security team will respond to you.