How Hacktron provides 24/7 security for Rocket.Chat
Rocket.Chat logo

How Hacktron provides 24/7 security for Rocket.Chat

June 30, 2026
5 min read
Open-Source Software Collaboration Software

1-2 minutes on average

to review a PR for security issues

17 real vulnerabilities

found and triaged in first 20 days

73% of issues found

were actionable and addressed

We're now able to scale security scanning across all of our PRs.

Hacktron flags potential issues, letting us focus our review effort on the pull requests that need closer attention.

Julio Araujo

Julio Araujo

Rocket.Chat

Rocket.Chat logo

About Rocket.Chat

Rocket.Chat is an open-source, fully customizable communications platform used by government, defense, and enterprise teams worldwide. Security is a top priority for software at this scale and size and one of the cheapest place to catch security vulnerabilities is early in software development lifecyle, through better design and continuous code reviews before it reaches production.

The challenge: a growing gap between code velocity and security review

However, even before AI, the developer to security-engineer ratio made it impractical to meticulously review PR for vulnerabilities. Now that AI is accelerating how fast code gets written and shipped, reviewing every change for security has become more crucial than ever.

We simply don't have enough engineers to perform a thorough review of every PR. Traditional SAST, SCA, and secrets-scanning tools can be very useful, and we still use them, but they often lack the context needed to identify complex issues like business-logic vulnerabilities.

They also struggle to reason across multiple steps or chain vulnerabilities together to understand how a system could actually be exploited.

Julio Araujo

Julio Araujo

Rocket.Chat

Rocket.Chat logo

Scaling security review across every PR with Hacktron

To close that gap, Rocket.Chat uses Hacktron Review for continuous, 24/7 code and security review, helping catch expensive vulnerabilities before they reach production.

For every PR, Hacktron:

  • Performs a deep security review of the code changes.
  • Flags vulnerabilities directly in the PR with clear comments.
  • Enables developers to fix actionable issues before merging.
  • Helps the security team track and batch lower-priority findings for periodic remediation.
  • Keeps security review continuous, instead of relying only on periodic audits or manual reviews.

Hacktron learns from our codebase and feedback over time.

As we provide more context about intended functionality, accepted risks, and security requirements, false positives become less frequent, improving accuracy and cutting the time spent triaging non-issues.

Julio Araujo

Julio Araujo

Rocket.Chat

Rocket.Chat logo

Let’s walk through an analysis of Hacktron’s reviews on Rocket.Chat: what kinds of vulnerabilities it finds, how accurate those findings are, and how it helps the team ship faster. Over the first 20 days, it reviewed 155 PRs and surfaced real issues. These include a critical authorization bug that would have let any logged-in user download another user’s full data export, two critical Apple OAuth flaws that weakened the login boundary across deployments, and a few XSS vulnerabilities.

Analysis of Hacktron PR Reviews on Rocket.Chat

Over the first 20 days (June 5-25, 2026), Hacktron reviewed every pull request as it came in. Here’s a breakdown of PRs reviewed, issues found, how they were triaged, and the real severity of the true positives.

Hacktron PR review findings flow

MetricValue
Unique PRs reviewed155
PR scans run490
Files changed reviewed10,744
PRs with security findings20
Unique findings (deduplicated)37
True positive / Accepted risk / False positive17 / 10 / 10
Actionable rate (TP + accepted risk)73%

Every PR was reviewed automatically, and the reviews themselves ran in ~1-2 minutes for a typical PR — fast enough to sit in CI without slowing anyone down. However, it is important to note that if PR has lot of changes, Hacktron takes its time to be thorough in its testing.

Hacktron review time by pull request

What kinds of vulnerabilities does it find?

Now, the important question is what kind of vulnerabilities it caught. Hacktron isn’t just a pattern-matcher; it reads and reasons about the code just like a security researcher. So the findings spanned most of the OWASP Top 10: broken access control, authentication/2FA bypasses, XSS, SSRF/open-redirect, cryptographic failures, secret exposure, and business-logic flaws.

Let’s get into detail of top 3 vulnerabilites that Hacktron caught.

Account takeover via Apple OAuth (Critical, CVE-2026-55666)

This is the first vulnerability Hacktron found right after Rocket.Chat integrated it into their workflows, and it’s a very elegant and critical bug.

One important detail here is that Hacktron found a bug outside of the PR changes. The reason for this is that Hacktron’s reviews are not narrowly limited to PR diff; it navigates dependencies and effects across the whole codebase to find second-order vulnerabilities.

Apple OAuth account takeover finding

In apps/meteor/app/apple/server/loginHandler.ts, the Apple Sign-In flow fell back to a client-supplied email when the Apple JWT didn’t contain one:

const serviceData = await handleIdentityTo ken(identityToken);
if (!serviceData.email && email) {
serviceData.email = email; // attacker-controlled fallback
}

An attacker could forge an Apple JWT with no email claim and supply an arbitrary email in the request, letting them authenticate as any user. Rocket.Chat published this as a Critical advisory (GHSA-wx3c-76rf-wpwf, CVE-2026-55666) as the vulnerability existed in pre-existing code.

Apple sign-in skips JWT claims validation (High, CVE-2026-55759)

There was another bug in the same handler: it verified the JWT signature but skipped claims validation. It used JWS.verify (signature only) instead of JWS.verifyJWT, and never checked aud, exp, or nbf. Any Apple-signed token with a non-empty iss was accepted, so a leaked or cross-audience token could be replayed to log in as the victim, with no expiry on the replay window. Rocket.Chat published this as a High advisory (GHSA-c75c-5hc7-j4vp, CVE-2026-55759).

Apple Sign-In JWT claims validation finding

Any user could download another user’s data export (Critical)

In the GDPR data-export download path, the access check was called without the file object, so it fell open and authorized any logged-in user. With a valid export file ID, an attacker could pull another user’s full data export: private messages, profile, and room data. Caught in PR #40889 and fixed before merge.

GDPR data export authorization finding

The result: a stronger security posture, and less time spent triaging non-issues.

For Rocket.Chat, the biggest impact is leverage. Hacktron gives the security team a way to apply expert review consistently across the development workflow, without turning security into a blocker for engineering velocity.

The result is a tighter feedback loop between engineering and security: vulnerabilities are caught earlier, developers get clearer guidance at the point of change, and the security team spends less time sorting through noise and more time on the issues that genuinely matter.

Hacktron reviews your code and finds real vulnerabilities before they ship to production.