By downloading and checking users’ SSH public keys, @cryptosense found that a number of users had cryptographically weak RSA keys associated with their accounts. These keys appeared to have been generated using an incorrectly implemented RSA key generation routine (or the keys were corrupt) before they were associated with their GitHub account. These keys were easily factorable and could have allowed an attacker to generate a SSH private key corresponding to the weak public key. To address this problem, we added additional validations, checking that new RSA SSH keys added to user accounts are not easily factorable. In addition, we audited all existing RSA SSH keys and revoked any that were found to be weak.

@cryptosense earned an additional 500 points for donating their bounty to a great cause — Médecins Sans Frontières (MSF). GitHub matches all bounties donated to 501(c)(3) organizations.