When I read up to "One can use the Rubocop configuration file to specify the path to an extension Ruby file" my immediate thought was "oh no, they didn't allow a user-extendable tool to run in their prod environment..." - and yes, they did. Not that it'd be properly secure without this glaring hole - I don't think many linters are properly audited and fuzzed against hostile inputs - but this is like opening the front door and hanging a blinking neon sign "Please Hack Us!" over it.

Even better when you read the CEO's response:

> The researchers identified that Rubocop, one of our tools, was running outside our secure sandbox environment

I don't think that was the main problem lol