![]() I mean, it’s a great question, to be honest, and I don’t mean to scare people with this stuff, but… I mean, I’m very much of the belief that unless you are a very high-level security professional who has deep knowledge in this stuff, if you’re going against a nation state, it’s more or less, as they say “Game over, man.” We tried to move on since then, and haven’t had any other big slip-ups similarly since then, which has been good. So basically, one of those ones where scary at times, but thankfully all resolved… So we wrote it all up on our blog, tried to let people know what happened, what the implications were, and what we were gonna do moving forward. Thankfully, it actually wasn’t as bad as initially we feared, because although it has to have write access, that particular credential didn’t have actual push access to the given repos, and we were also able to verify, with GitHub Support’s help and some auditing ourselves, that it hadn’t been used by anyone during the period in which the scopes were elevated and in which it had write access. Obviously, the bonuses of good disclosure is that within a few hours we were able to revoke the creds, we were able to replace them and sanitize Jenkins, so this shouldn’t happen in the future… And also basically check to see with the old credentials what was possible and what wasn’t. That token actually gave him push access to some repos, and so that was obviously relatively terrifying. Previously we had just “Oh, well create an issue, or send us an email, or whatever”, and people suggested that we get set up on HackerOne that it’s a responsible disclosure platform thing, and it’s free for open source… And that’s worked pretty well for us.īasically, late July last year a researcher identified that Jenkins - which is what we’ve used for Homebrew’s CI and building our binary packages - had been leaking a token, unfortunately. Basically, we got a security disclosure through our HackerOne it’s actually been a really nice setup since we kind of moved to that.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |