We know that your source code is one of your most valuable and sensitive assets. For most development teams, it's a literal representation of your most important work product.
CodeStream’s servers do not require access to your source code, as all interactions with the code are done locally in your IDE leveraging your IDE’s access to the code. For example, when you select a block of code to discuss, CodeStream captures the commit IDs and line number offsets to allow us to maintain the connection between the discussion and the block of code.
Note that CodeStream does need to store snippets of code in our database. This happens when you discuss a block of code by creating a Codemark. CodeStream saves that block of code in the database for a variety of reasons, not the least of which is the possibility that the code in question may not have been pushed and storing it would be the only way to share it with your teammates. This also happens when you ask a teammate to review your code by creating a Feedback Request. CodeStream stores diffs required to reconstruct the changeset so that your teammate can do the review without needing to switch branches or pull the latest.
CodeStream’s integrations with GitHub and GitLab allow you to create, manage and review pull requests from your IDE. In order to provide this robust functionality, CodeStream asks for the minimal scopes possible from each service, but the integrations do require both read and write access to your GitHub organizations/GitLab groups. When working with pull requests via these integrations, the CodeStream extension hits the GitHub/GitLab backend directly. Nothing goes through, or is stored on, the CodeStream backend when it comes to pull requests.
CodeStream is committed to helping our users understand the rights and obligations under the General Data Protection Regulation (GDPR), which took effect on May 25, 2018. We have introduced tools and processes to ensure our compliance with requirements imposed by the GDPR and to help our customers comply as well.
If you think you have found a security issue, please email us at firstname.lastname@example.org. Please do not publicly disclose the issue or any related information until we have had a chance to review it and respond to you.
CodeStream provides monetary rewards, up to $500, for properly reported security issues. The reward is determined by the severity of the issue, the percentage of users impacted, and the likelihood of encountering the vulnerability under normal use of our service.