Security at Qodo in 2026: Our commitment, recent learnings, and what’s next
As we head into 2026, security is a top priority for Qodo.
Our platform is central to how engineering teams build and ship software. We take the responsibility that comes with that seriously.
Over the past months, a small number of security issues have been reported to us by white-hat researchers (including through programs such as HackerOne). One example was a vulnerability in Qodo that could allow remote code execution (RCE) under specific conditions.
At this stage of our investigation, we have no indication that this vulnerability was exploited in the wild, nor any evidence that customer data was accessed, exposed, or otherwise compromised.
We have remediated the vulnerability in Qodo (and in the PR Agent open-source project, previously maintained by Qodo). No action is required from our customers.
Most importantly, we are using these incidents as catalysts to raise our security bar as the company scales.
In 2026, Qodo is:
- Hiring full-time application security (AppSec) resources dedicated to our platform and SDLC.
- Engaging external experts, including a leading cybersecurity services partner and independent researchers.
- Rolling out more sophisticated security tooling across our infrastructure and development lifecycle to ensure our security posture scales with our growth.
We are embracing the next chapter of security at Qodo. If you have questions or would like to discuss this in more detail, please reply to this email or contact us at [email protected].
