We are sorry about Code Climate's downtime today. This morning we were alerted to a vulnerability in Git (http://www.esecurityplanet.com/threats/git-svn-and-mercurial-open-source-version-control-systems-update-for-critical-security-vulnerability.html) that could potentially enable an attacker to execute arbitrary code. Code Climate accepts Git URLs from users when adding or updating repositories. Despite having no reason to believe malicious activity has occurred, out of an abundance of caution, we decided to take the site down while we updated our services and ensured that no one had exploited the vulnerability on our system.

We understand that it is inconvenient when Code Climate is unavailable, especially during the work day, and always try to avoid service interruptions when addressing security vulnerabilities. However, security is always our top priority, and given the potential severity of this issue, we felt that bringing the site down was our best course of action.

We are happy to report that all of our underlying services are now running patched versions of Git. Additionally, we reviewed logs of all repositories added or updated within the last 7 days and confirmed none of them contained URLs which attempted to exploit the vulnerability.

Any analyses enqueued or webhooks sent during the outage were not processed. Pull requests opened during the incident will be automatically analyzed after the next push. If you have any questions or concerns, please contact us through our support form: https://codeclimate.com/help