Security

It's your code, it's our responsibility to protect it.

We're developers too, we know how important your code is to you. What's important to you is important to us.

This page describes the security measures we've set up to protect your code. If you have any questions, please contact us and we'll come back to you directly .

Christophe and Martin
Founders of 8th color
support@pullreview.com
+32 (0)2 318 03 52

Physical Security

System Security

Communications

All access to PullReview website is secured by SSL certificates provided by GlobalSign. You can check that it's effectively protected thanks to the following GlobalSign Secure Site Seal.

SSL
SSL Certificates

All pulling of private source code from GitHub is done over SSH connections authenticated with keys. It is done over HTTPS when pulling public source code.

GitHub authorization

To produce the reviews, we need to clone your code from GitHub. We ask for authorizations from GitHub in two steps.

We're using the OAuth with the scope repo or public_repo of GitHub. You may revoke that permission at any time through your GitHub application settings page and by removing PullReview deploy keys and web-hooks from your repositories admin pages.

Please note that the GitHub permission model is "all or nothing", i.e. by authorizing us to access your repositories, PullReview gets the permission to access all of them. However, PullReview allows you to select the repository you want to follow, and those are the only one we'll ever look at.

It's impossible for PullReview to follow a repository for which you don't have the push rights. For private repositories, if you don't have the admin rights, you'll need to ask the admin to add a deploy key via PullReview for that repository.

PullReview never collects or stores passwords for GitHub. The integration is done via OAuth, i.e. we only store the OAuth token that you can revoke via the GitHub application settings.

Staff Access to Code

No 8th color staff will ever read your code. Should it ever be needed for us to access your source code to perform support, we will explicitly ask you for your permission before taking any action. The only cases we will do it without our prior consent is when we are suspecting an abuse or responding to a critical security issue, but you’ll be the first informed.

Only founders (Christophe and Martin) and the employed developers have the ability to access the source code, again, only with your prior permission.

When accessing your code, we do it as minimally as possible to resolve the issue and to respect your privacy, author rights, and intellectual property. We do not have any means to clone your repository except as part of PullReview process.

Maintaining Security

All passwords are filtered from all our logs and are one-way encrypted in the database using `bcrypt`. Login information is always sent over SSL.

We are also working with security experts to perform regular penetration tests and ongoing audits of PullReview.

We are extremely concerned and active about security. We are always doing our best to maintain and increase the security of PullReview. That means, that page will be filled and updated over the time with new measures and information.

Responsible Disclosure

As we're concerned by security, your input and feedback is really appreciated, especially if you've found a vulnerability in PullReview. We'll interact with you in order to understand your report and check if we fully address your concern.

Please email us to security@pullreview.com; we'll consider it with our highest priority. If possible please encrypt your message with our GPG key.

During your disclosure, we ask you to:

GPG Key

fingerprint: 1F88 4A62 1A43 5F68 DBB5 4681 CB8E 0A52 E725 DACB

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)

mQINBFHupdgBEACeMMhjk9E4o85c2iyeIZsFEiHhHwZVcrEkVaWNgLjPbPgBO4yd
nnUSbv4OUj/yxWr+umsV3kU+jflMVayPHUNZWKduOeQb/NhVynJKbZH3qKPFBep1
Pp5JtqeHvsBsEP2QNXjWg/UeZZk7NOCbTPDrd3421BnRgF4ksVC6Hj/X+GTSURqM
uE1AH2fNGqIy+zcIYxycFEmlIxiNFoNidoCGRHTfQpTVCFqsqAn16If5Pkr6kOkO
tlkZIDWiZqK5Tuqvh2hAH6bCST3NW6GuHZLKIXNzhMax08WV4118PgVXyRHrv6zG
sB917VEP+a4wwlJsHZ/XzpDDSiSukGCUOXwb9HNCjBO5BVzPY2XAt7tHX/wFFbEF
fQ1/xkNIVeE8PtsF6cZyy8dVAzb+v/Ipe4WEYnXJ2/Mw516jccwPZp8WcE4fLsuI
Y27SJdzqhNHwGxUQWlqDOOti4iOSZCphHkuuGTeAOIi4fwxJ66anqhKETs+LoAe4
NrRr4Ox11nHkGecsD8dZsCL+6DG247eNrbykKxALG/39ByaQlx4AHj6wzan+TIpr
x8dGVRUBcuDLIMLawP7/SWw22RPLTbnBk8nDjRA/nXU6y970tZhXrBnLRH840Lgi
TNOa2lqAgjGy6SDTLZKEfxjbH/m7EZwhkBnlj6db3gQBjT67a5IhNeDH5QARAQAB
tENQdWxsUmV2aWV3IFNlY3VyaXR5IFRlYW0gKDh0aCBjb2xvciBTUFJMKSA8c2Vj
dXJpdHlAcHVsbHJldmlldy5jb20+iQI3BBMBAgAhAhsDAh4BAheABQJR7qaYBQsJ
CAcDBRUKCQgLBRYCAwEAAAoJEMuOClLnJdrLApsP/1Ahx5k+NVS1hj4EpcsdNZlL
mMHh5fMheqzq/KPn2XAI1BnDHkE+scuXvZ4GGXja5aOdXuj9dNJOplBZoY8BGNt6
uNOinVsoNwNTzVsytjVWs6RM4pO6g2ctv9wXODBDpdwuFUuujXjhAfFcWpk9nglC
VoSV5tJ8lzWTTy87Z4YHxkclKTm//A6qPztt7M1LRP+EaFGZ3s4YedF8Y0zD48fI
mmZNmx9cLTD5How0PfCO1d63C/k4yQo7yoLStM0Rgxzt3MX78r3TuyHlUCfj3kjF
iEHgLV1MYZL0yDinTAJ13XM4hNXKOOPsAI6biUJ4bHINuv2u+gt8lB5U8a6UO/r8
o2nlUAf1muq4EVxTvDuillm1SB0+L1Ff0AxiEgNzTT+gGa+XXbId6ZLe28Fld+s7
d2xAc7Vgd8OrOJjtg++tuLqGgcXYxtPAru5T39tjBUt43DDfjH5pUH1i8JjIumuf
vF0BlT3NVrluVyivJ+bUxZ0iEwKmrNGfGRdo4W85i6C4saQtD/WSymVTYT6cEhzG
VzpK/sTqm0DUpE6dyj1hbl5gvL+46SsIEn4Gj9Pmwki/VHGtVWN3xJuZqc2BiqBa
x+V+6ygNUcz62E4++KrwkVQwP5t5KnSODShbAxth1r/nG3bqmmtG1nth4cDsAGAL
t9ZnWHvrLHojIWl4O5CpiQI4BBMBAgAiBQJR7qXYAhsDBgsJCAcDAgYVCAIJCgsE
FgIDAQIeAQIXgAAKCRDLjgpS5yXayyTEEACEcvkBpCVZLmfYLyXS3mPWCt1rhkIX
KBqkjydVYmRP8ozm+2Dp79KJJWgVL42YEYpFUpKRnsZ76/B/jR1uWu0Tny95cxtK
g5ZbFuBHQYlmYt1crs9VAv1M3cTLFKrxy4WBlnwVw8zsflk+pifoUX/M2Jvq+L12
vlyjo2j343MnlpJPiJfdKZPQZhZzQuRIytd2mq77NNS3yxigbTR4d/JqhzHe2Uv+
MVmaYVEl5HswYgtBiq3ZaqDxHXTdCDMX8n85hTou8Bp1Di3gPjI6NTdeNUgOFYx2
w7qHpZE6rdfjXQI5CEGW2s3JYh25/7DOrILDJBx68Q4BZUY0cMhmmXPKiNQSQa9T
uXf/06UW/YLqZ+TGBiizL7eAHfji7TZeczfUZMNLeCfoGuCGovKS30Ulh4LjzpAd
YzXTckhOZ5QjLz7JBbIEUakpHeWXgaDMcEcEXAjinXyomM5RWdTR6OZR1W3IO3fA
4dyRGit6DyvXHZy0uvGQDeAHsjjmaZ9qFZhC0AxWzCw99zg9FfqcwbkT4YWvdDIX
k5iVX5Kr1c0Fcp/in+KdhQ7jy3EdpwR+4Pl0t7Z3URtw/bi+jRA1J/XXRpxTwWo5
ytmpjRK2JJ7/NnvKxrZS9iX0XXXeOSq+pS5Lrjs2PyVB6GL/IeoNRMq4eRn2tdqM
YQQwtJxJkENZV7kCDQRR7qXYARAAr1VUKDV6ydwa3rCcaZfKsdDHb8UUg7gQrTTm
j0etaLrGrfdJ26ITeJzUWGrIl+hKymhF4BgZ/Dhl5xqy4KN8iTbDiwbFzJbkjlB1
D9zddA+j12hLXgK785cVUoiMhrsrQg95Z1N4h//eNsg/QRyLiyYul2/ERchU9nH9
6mf32leF3mk1pQyYz1iTknkgYG28cNd0XWlVYJbac2gZSTk+XFPFqmzBbIGpHi2x
Ymr2Rm0P7KGKT3XWMnIQMxkIz7CLq1+0TgATTXUs0JXKVCwjMU/PyGfFspQVXarR
VAV5MwQDhpRuJ7fHNy/vvyL17KgMsv47Vv0PpBy7lHmeHijt3KLRU4eDpnNDjf4T
rbEUJk6bDHkemVrJqW7nImHq1yHUHvS5BAC5uSOoHk3mjFlGTd0zXH2eEFItqahT
rtweUClON9f2warfZJhuyssqBEBl0wU7P9UJDUlI8UGB6qHDdWF3u2Dw9ikxSvMP
loZIcYVJ6CxSKufS/Vd/6E/XK4uC+juQDLVS4YuCfaPArDKQDSVIqbkWDrlKMpOW
M4K4NYcNtwVoMGelYsDQY2hqOpYxxeUNTzoFBjCLEeJJ+zDPmh4HHDoXepuOwehf
ISn09K8AE/eoSCKlhAljNxUI15pKtfGqKwCwU1DK9XlK/jjr7/KGC0lAIsNYqlDF
UH+tw3cAEQEAAYkCHwQYAQIACQUCUe6l2AIbDAAKCRDLjgpS5yXay869D/4lnJEW
1zi80aCfz2b126OAhVPF0Msru3iwt+XaFBa6+D4YTuiKh6RED4SJ6pAtrgG1rqyV
4aaPfC10Okce2/kQ7PPxg/Q9chorrYt9W53oALuSmnplhUNDDtGBoC0RakAUfwgc
5cxclI5okwbv/Hsef4zAU78NS5orBfH7eMAT/Wt4uyj1oO5f1TW8QRu1Klw1F9x6
CXFDmP9vUHfwj+gZxK1B7eoHU0bP+W5IcqhbDXnO6cT3cQ1WJgTuOEhfAsKg+ypX
JpXxSMTy5Cp6XzQDDN1OF4K6qgBWZplYEongFgR7oZePrpvSkScewtTcs/rh8Tx3
XQ7SHAhnYvnrvdDX289eCewZ9FoMAlLVNuoApT4jB6hz1uB3o767FrGmMQIlzT9I
ND1KtQWn6kSKyr3LCOrXv/FCWu6yLNYYeN5IHUlzmKiU+udF3MNhGdQoaQIhIRYx
YsR/TvcA+PMNOC8P8tshx22WPq8LpHTuBnCrp2r5j7ks8mf7Ia/CRIxxEieSILFS
ZWO0ViX/cDCNE0yuTSfEQe7AEEHPw14JAf7JQ7O6qOJBYUc8kZh+ID6oJoyfwEGL
eI+l4KMfDMdC/afod4T2BWqKScR0dShhGgceacLJecegE0xX9f/IycR3ozdleFtf
VN8M3bWyQCRlSQxykmbooomawAIt3ebONhI9hbkCDQRR7qauARAAmodLm3MAxl+V
aSj+xar+xJ7Ha+PEte9MxJSXbKtRbNxx96GbbpuXjrdZ4sG12LPFTjXPbXYGWRcM
Pgm5Au2EGvwm9lOmM6r1eFt//eQQ/K0CNbXmlw8rdDozuD17BN2W6WdfFEpNXrfP
qPhL4FTFgdYSVfomJU7hCB/PSzi07Z23g81XVx8l36ZE5fB7FPRFOLuyH3NQidaQ
0oAjb6U2vFjXVdZqBD74kZrJ955ntypnV0OejShsMgcljoOsBckUwJv4IPyCFGr6
jjaCAhO/sDan1gK6kdt2ty+orxbVzQZq7Tjm8Tv63MoDd82Htj1UvLEIaqtmZUCf
91nogveuHr8AOPXcDwmiypmipoCJmDti/SYAOIXJS2wY4052PWRHc1kM63/zo62m
xihy4Omal89k0OzwZc7Z1T6bzWzGnCalp4qkTBahAYvJp0eBBrppXo8tN2HObce9
zGakXXR5WeeJD6uUsS3BkiO7fzoFAru2N2DgPkCs4RvjT4TLCG5gJbV/Bn9LQHR4
EzXbsN/mZ+nRX+g1NPwPxXQ7XjAzTQMk2BLdqUbFHF9pxJk7RVGR4+k6SJ/q8MMK
jbG7nhobTvpEWw0nyQrFZyzfHT/0wBzvNMRlhzBgp+Tk6nkmRTx9Z508EeKlRhRH
FX2RIW26GtImgvvdPjWwyVVu/z2QWTMAEQEAAYkEPgQYAQIACQUCUe6mrgIbAgIp
CRDLjgpS5yXay8FdIAQZAQIABgUCUe6mrgAKCRAR3xTCK4s21HxAD/4yEDqsEoIu
H3IJJRhEZ6fVNRx41aI5E2Jfs+wUn1sxr1i80fB/fBq8CzTnmnEvjbm7etuOh83q
rrkfMJN18x4cbL/YZ6/Q4QW2JjljX31uEBzvZJduQ0vI5oBvdbSSIb65mCcR88Zm
SiZ7BolNVKeBEC8jT9ycinBkAwCCJrFvdDPwLIo0dWyn0xXXiozYJeJSC1lVM4Iz
uduO6REb/5/al+DcT83aPT3af7WKFUEyJfH9A9QkcgPxvbjn0Ddz97m3JVdbAatQ
x6/Xbu462IfJPI5v7HuTXGXJ22K3/oOVhOEhzff3zfs1tq/idgQKj/pPLt/bLNpA
bCZKqoTYAYyaFKn69c6xnx7tR2xZl+S39H+/WloVlZJ2IV6OUYUxOiKfLzQtkHs1
cHOYg+qCRboByj/miu1z0ObPw5nv1vgAagkBGOHe/FQRgbuqwZmJFIe/zeZumdUO
msXahddSPtSx+oq623aHAWHDaH7mr0kSXRtQnyjPNoxSXfMH9yUEDpZvscCZrecW
higoW9HkHWvEVCSD/7WhJdi7/Ez5Ec8qT6Oh1exloGi98I8QiD3jOzZi1mkw4R+c
nqj4vgHD5LKmpaCO8kDkTTSNfnJwCscPyLFNVFdtMMexwEHk6dG4biEFcK69eSVO
67iGRj1Cv72mLR1OY6kjtZ5Z3asJyGAnjp/zD/9To6vK7fWr0MadY9noQ4T7wXVW
qTHmVoR+BRudWZDW8NQ6ocODJGG6dBaUzalsJQ3xFIUwOWbanJ50yZgakGfWiz0k
z3FWSLvfflfieyTN1eJtXSvb49034NAboQOMQJ2kZlZEF2LN5U7Yf2ObBqB/SNzc
0SfMOcZreaf7RtrEVUq1teoXQ5KOyTur1twxyx/ZYpN178Njl4pjdtVMPzHkwXem
3w8PvISGLFBRrYztiWT6kkIhUFA9B/o1xkRcgC/5NCVfrbJcif82ZHhll+jKl3q7
9mfAzcn9R62niEGkBC9F8bQHMtD9WBOS6YxMP9LAQ62Lj+d2Urf9cK/MnQa6D2FL
77+XDd+CaVb+EiEvv9snrejcED2mqNJJghQqdzKYOWS6TQHDlH2FsWj10VQRpSuT
uljw9Q5GeVZAtz6ATh2XdDrFO+KN3W/riKb7I4Wc62PzaNC444SKL0HPCnEyFTyB
B4pVke7N8bi9M5rcD+VKhVqtqpcmkkFA7eob9F6XOc5v5jky0ut+Kh1oc/zqwmWz
ZoTPnUy4N3NGoiUb9S5Um3y6sMyBIDYP0tJUUPIEsx12m9Y8zz8+ekIw1detrVfa
QWGLr/NC5HVxJ58haf2NOZMIKlNbRpprmLj8nOLKYDCWom6KwNDLSDTLfhL5jx9+
jFLEzRaWtwcx1vrXfA==
=/Hmy
-----END PGP PUBLIC KEY BLOCK-----
  

Changelog