@gcbirzan discovered that organization policies for allowed OAuth applications could be bypassed using the search APIs. This could have allowed third party applications to see information about issues from an organization’s private repositories. We addressed this issue by enforcing organization application policies on these search APIs.