Home Security

Security at LobsAI Coder

Your security and privacy are our top priorities. We employ industry-leading practices to protect your code, data, and intellectual property.

πŸ”’ Security Overview

LobsAI Coder is designed with security at its core. We understand that as developers, you work with sensitive code and proprietary information daily. Our commitment to security extends across every aspect of our service:

  • End-to-End Encryption: All data transmitted between your VS Code environment and our servers is encrypted using TLS 1.3
  • Zero Data Retention: We do not store your code on our servers. Code is processed in real-time and immediately discarded
  • Local Processing: Where possible, operations are performed locally on your machine
  • Secure API Integration: Your AI provider API keys are stored locally and encrypted
  • Regular Security Audits: We conduct quarterly third-party security assessments
  • Compliance: SOC 2 Type II, GDPR, and CCPA compliant

πŸ›‘οΈ Vulnerability Disclosure Policy

We value the security research community and believe that responsible disclosure of security vulnerabilities helps us ensure the security and privacy of all our users.

Reporting a Vulnerability

If you believe you have discovered a security vulnerability in LobsAI Coder, please report it to us following these guidelines:

πŸ“§ Contact Information

Email: [email protected]

PGP Key: Available upon request for encrypted communications

GitHub Security Advisories: Report via GitHub

What to Include in Your Report

  • Description of the vulnerability and its potential impact
  • Detailed steps to reproduce the issue
  • Proof of concept (if applicable)
  • Your name and contact information for follow-up
  • Any suggested remediation steps

Responsible Disclosure Timeline

Day 0

Initial Report

Submit your security vulnerability report to [email protected]

Within 24 Hours

Acknowledgment

We acknowledge receipt of your report and assign a tracking ID

Within 3 Days

Initial Assessment

Our security team validates the issue and determines severity level

Within 7 Days

Detailed Response

We provide a detailed response with our planned remediation timeline

30-90 Days

Remediation & Disclosure

We fix the vulnerability and coordinate public disclosure with the reporter

βœ… Security Best Practices for Users

Help us keep your development environment secure by following these recommendations:

API Key Management

  • Store API keys securely using VS Code's built-in secret storage
  • Never commit API keys to version control systems
  • Use environment-specific API keys for different projects
  • Rotate API keys regularly (recommended: every 90 days)
  • Monitor API key usage for unusual activity

Extension Security

  • Always download LobsAI Coder from official sources (VS Code Marketplace, Open VSX)
  • Keep the extension updated to the latest version
  • Review extension permissions before granting access
  • Be cautious when using third-party MCP servers
  • Report suspicious behavior immediately

Code Privacy

  • Review code snippets before sending them to AI providers
  • Use .lobsignore files to exclude sensitive files from AI context
  • Be mindful of proprietary code and trade secrets
  • Understand your organization's AI usage policies
  • Consider using local AI models for highly sensitive projects

πŸ” Data Protection Measures

In-Transit Security

All communications between your VS Code instance and external services are encrypted using:

  • TLS 1.3 for all API communications
  • Certificate pinning for critical endpoints
  • Perfect Forward Secrecy (PFS) enabled

At-Rest Security

Data stored locally on your machine is protected by:

  • VS Code's native encryption for sensitive settings
  • OS-level keychain integration (macOS Keychain, Windows Credential Manager, Linux Secret Service)
  • Encrypted cache directories with AES-256

Third-Party AI Providers

When using third-party AI providers (OpenAI, Anthropic, Google, AWS, etc.):

  • Your code is sent directly to the AI provider you've configured
  • We do not intercept, store, or process your code on our servers
  • Each provider has their own data retention and privacy policies
  • Review your chosen provider's security documentation
  • Consider using providers with zero data retention policies

πŸ’° Bug Bounty Program

We recognize and reward security researchers who help us maintain the highest security standards. Our bug bounty program offers rewards based on the severity and impact of discovered vulnerabilities.

Scope

The following are within scope for our bug bounty program:

  • LobsAI Coder VS Code Extension
  • API endpoints (api.lobsaicoder.com)
  • Website (www.lobsaicoder.com, app.lobsaicoder.com)
  • Documentation site (docs.lobsaicoder.com)

Out of Scope

  • Third-party dependencies (report to respective maintainers)
  • Social engineering attacks
  • Physical attacks against our infrastructure
  • Denial of Service (DoS) attacks

Reward Structure

Severity Impact Reward Range
Critical Remote code execution, data breach $500 - $2,500
High Authentication bypass, privilege escalation $250 - $1,000
Medium SQL injection, XSS, CSRF $100 - $500
Low Information disclosure, rate limiting issues $50 - $250

Note: Rewards are at our discretion and based on the actual risk to our users. Duplicate reports, previously known issues, and reports that don't follow responsible disclosure guidelines are not eligible for rewards.

πŸ† Security Researchers Hall of Fame

We're grateful to the security researchers who have helped us improve LobsAI Coder. With permission, we recognize their contributions here:

No researchers have been added yet. Be the first to help us improve security!

πŸ“’ Security Advisories

We publish security advisories for all significant vulnerabilities that affect LobsAI Coder. Stay informed about security updates through:

  • GitHub Security Advisories: View Advisories
  • RSS Feed: Subscribe to our security feed for automatic updates
  • Email Notifications: Opt-in to receive critical security alerts
  • Extension Updates: We push security updates through the VS Code Marketplace

⚠️ Security Alert Subscription: Sign up for our security mailing list to receive immediate notifications of critical vulnerabilities. Email [email protected] with subject "Subscribe to Security Alerts".

πŸ“‹ Compliance & Certifications

LobsAI Coder is committed to meeting international security and privacy standards:

πŸ”’ SOC 2 Type II

We maintain SOC 2 Type II compliance, demonstrating our commitment to security, availability, processing integrity, confidentiality, and privacy.

πŸ‡ͺπŸ‡Ί GDPR Compliant

Fully compliant with the General Data Protection Regulation, ensuring the privacy and protection of personal data for EU residents.

πŸ‡ΊπŸ‡Έ CCPA Compliant

Adhering to the California Consumer Privacy Act, protecting the privacy rights of California residents.

πŸ” ISO 27001 (In Progress)

Currently working towards ISO 27001 certification for information security management systems. Expected completion: Q2 2026.

πŸ“ž Security Questions & Contact

If you have questions about our security practices, need to report a vulnerability, or want to discuss security concerns, please contact our security team:

Email

[email protected]

GitHub

Security Tab

PGP Key

Request Key

πŸ›‘οΈ For Security Emergencies:

If you believe you've discovered an actively exploited vulnerability that poses immediate risk to users, please email [email protected] with "URGENT" in the subject line. We monitor this inbox 24/7.

Last Updated: November 3, 2025

This security policy is reviewed and updated quarterly. For the latest version, visit lobsaicoder.com/security