How the Privacy Issue Started
On Sunday, security researchers at Cereblab revealed that Grok Build was packaging user repositories as Git Bundles and transmitting them to Google Cloud storage. The discovery sparked immediate backlash from the developer community, who questioned why their code was being sent to external servers at all.
Elon Musk and SpaceX responded quickly with a public statement. The company promised to delete all data Grok Build had previously stored and to give users more control over how their data is handled going forward.
Open-Sourcing as a Trust-Building Measure
As part of its privacy commitment, SpaceX pledged to open-source Grok Build’s codebase. The code went live on GitHub on Wednesday and is undergoing a security audit.
The release does have some limitations worth noting. It’s a single commit with no pull requests or detailed git history, making it harder to understand the development process. According to Simon Willison, creator of Datasette, the Grok Build codebase contains 844,530 lines of Rust code. The component responsible for sending repositories to the cloud is still there, though it appears to have been modified.
New Privacy Defaults in Place
SpaceX clarified its data retention practices in a statement accompanying the open-source release. The company explained that Zero Data Retention (ZDR) was always the default for enterprise customers. For regular users, data retention was enabled by default during the early beta phase, which the company now acknowledges was a mistake.
With all retained data deleted, retention default off, and an open-source harness, we are offering complete user privacy
, SpaceXAI stated. Starting July 12th, data retention was disabled by default for all Grok Build users, and the company is working to delete all previously retained coding data.
Security Bounty Program Launched
To ensure the open-sourced code is thoroughly vetted, SpaceX has invited security researchers to audit Grok Build for vulnerabilities. Any findings can be submitted through the company’s bug bounty program.
Researchers who identify security issues can earn rewards ranging from $100 to $20,000, depending on how severe the vulnerability is. This approach gives the security community a financial incentive to help harden the codebase and catch any remaining privacy risks before they can affect users.
What Comes Next
The open-source release puts Grok Build’s inner workings on public display for the first time. Developers can now inspect exactly how the tool handles their code and data. Whether this transparency will fully restore community trust remains to be seen, but it’s a significant step toward addressing the original privacy concerns that sparked this entire controversy.
Follow Hashlytics on Bluesky, LinkedIn, Telegram and X to Get Instant Updates



