1-2 minutes on average
to review a PR for security issues
17 real vulnerabilities
found and triaged in first 20 days
73% of issues found
were actionable and addressed
We're now able to scale security scanning across all of our PRs.
Hacktron flags potential issues, letting us focus our review effort on the pull requests that need closer attention.
About Rocket.Chat
Rocket.Chat is an open-source, fully customizable communications platform used by government, defense, and enterprise teams worldwide. Security is a top priority for software at this scale and size and one of the cheapest place to catch security vulnerabilities is early in software development lifecyle, through better design and continuous code reviews before it reaches production.
The challenge: a growing gap between code velocity and security review
However, even before AI, the developer to security-engineer ratio made it impractical to meticulously review PR for vulnerabilities. Now that AI is accelerating how fast code gets written and shipped, reviewing every change for security has become more crucial than ever.
We simply don't have enough engineers to perform a thorough review of every PR. Traditional SAST, SCA, and secrets-scanning tools can be very useful, and we still use them, but they often lack the context needed to identify complex issues like business-logic vulnerabilities.
They also struggle to reason across multiple steps or chain vulnerabilities together to understand how a system could actually be exploited.
Scaling security review across every PR with Hacktron
To close that gap, Rocket.Chat uses Hacktron Review for continuous, 24/7 code and security review, helping catch expensive vulnerabilities before they reach production.
For every PR, Hacktron:
- Performs a deep security review of the code changes.
- Flags vulnerabilities directly in the PR with clear comments.
- Enables developers to fix actionable issues before merging.
- Helps the security team track and batch lower-priority findings for periodic remediation.
- Keeps security review continuous, instead of relying only on periodic audits or manual reviews.
Hacktron learns from our codebase and feedback over time.
As we provide more context about intended functionality, accepted risks, and security requirements, false positives become less frequent, improving accuracy and cutting the time spent triaging non-issues.
Let’s walk through an analysis of Hacktron’s reviews on Rocket.Chat: what kinds of vulnerabilities it finds, how accurate those findings are, and how it helps the team ship faster. Over the first 20 days, it reviewed 155 PRs and surfaced real issues. These include a critical authorization bug that would have let any logged-in user download another user’s full data export, two critical Apple OAuth flaws that weakened the login boundary across deployments, and a few XSS vulnerabilities.
Analysis of Hacktron PR Reviews on Rocket.Chat
Over the first 20 days (June 5-25, 2026), Hacktron reviewed every pull request as it came in. Here’s a breakdown of PRs reviewed, issues found, how they were triaged, and the real severity of the true positives.

| Metric | Value |
|---|---|
| Unique PRs reviewed | 155 |
| PR scans run | 490 |
| Files changed reviewed | 10,744 |
| PRs with security findings | 20 |
| Unique findings (deduplicated) | 37 |
| True positive / Accepted risk / False positive | 17 / 10 / 10 |
| Actionable rate (TP + accepted risk) | 73% |
Every PR was reviewed automatically, and the reviews themselves ran in ~1-2 minutes for a typical PR — fast enough to sit in CI without slowing anyone down. However, it is important to note that if PR has lot of changes, Hacktron takes its time to be thorough in its testing.

What kinds of vulnerabilities does it find?
Now, the important question is what kind of vulnerabilities it caught. Hacktron isn’t just a pattern-matcher; it reads and reasons about the code just like a security researcher. So the findings spanned most of the OWASP Top 10: broken access control, authentication/2FA bypasses, XSS, SSRF/open-redirect, cryptographic failures, secret exposure, and business-logic flaws.
Let’s get into detail of top 3 vulnerabilites that Hacktron caught.
Account takeover via Apple OAuth (Critical, CVE-2026-55666)
This is the first vulnerability Hacktron found right after Rocket.Chat integrated it into their workflows, and it’s a very elegant and critical bug.
One important detail here is that Hacktron found a bug outside of the PR changes. The reason for this is that Hacktron’s reviews are not narrowly limited to PR diff; it navigates dependencies and effects across the whole codebase to find second-order vulnerabilities.

In apps/meteor/app/apple/server/loginHandler.ts, the Apple Sign-In flow fell back to a client-supplied email when the Apple JWT didn’t contain one:
const serviceData = await handleIdentityTo ken(identityToken);if (!serviceData.email && email) { serviceData.email = email; // attacker-controlled fallback}An attacker could forge an Apple JWT with no email claim and supply an arbitrary email in the request,
letting them authenticate as any user. Rocket.Chat published this as a Critical advisory
(GHSA-wx3c-76rf-wpwf, CVE-2026-55666) as the vulnerability existed in pre-existing code.
Apple sign-in skips JWT claims validation (High, CVE-2026-55759)
There was another bug in the same handler: it verified the JWT signature but skipped claims validation.
It used JWS.verify (signature only) instead of JWS.verifyJWT, and never checked aud, exp, or nbf.
Any Apple-signed token with a non-empty iss was accepted, so a leaked or cross-audience token could be replayed to log in as the victim,
with no expiry on the replay window. Rocket.Chat published this as a High advisory
(GHSA-c75c-5hc7-j4vp, CVE-2026-55759).

Any user could download another user’s data export (Critical)
In the GDPR data-export download path, the access check was called without the file object, so it fell open and authorized any logged-in user. With a valid export file ID, an attacker could pull another user’s full data export: private messages, profile, and room data. Caught in PR #40889 and fixed before merge.

The result: a stronger security posture, and less time spent triaging non-issues.
For Rocket.Chat, the biggest impact is leverage. Hacktron gives the security team a way to apply expert review consistently across the development workflow, without turning security into a blocker for engineering velocity.
The result is a tighter feedback loop between engineering and security: vulnerabilities are caught earlier, developers get clearer guidance at the point of change, and the security team spends less time sorting through noise and more time on the issues that genuinely matter.