At the Open University, as part of our project to start using CodeRunner, we paid a cyber security consultancy to do a day of penetration testing on CodeRunner.
I am afraid that we cannot share the full report with you, since it is confidential between the consultancy and us. However, that is not very important, because they did not really find anything wrong with CodeRunner. (They did detect a handful of other minor ways in which our Moodle could be configured more securely.)
The only really CodeRunner-specific thing they queried was to ask whether we should be limiting access to Python libraries like os, but I don’t think that is feasible. Anyway, the point of the JOBE sandbox is to ensure that can cannot do anything very interesting, even with OS commands.
So, on the basis of this report, our IT Security department has approved us to make CodeRunner available to OU staff and paying students.
In an interesting development, our open courseware folks (http://www.open.edu/openlearn/) have now also woken up to CodeRunner, and would like to use it. Obviously, exposing CodeRunner to the whole Internet, rather than just paying students, is a bigger risk, so it is possible we will do some further in-depth testing (e.g. a code review of the JOBE sandbox). If so, we will share a summary those results with you too.
We hope that getting this testing done, and sharing the results to the extent we can, is a useful contribution to the CodeRunner community.