500 pts
@ionicabizau reported a bug where a user audit log entry was created that disclosed another user’s IP address. When a user is invited to join an organization an audit log event is created when the user accepts the invitation and is added to their initial set of teams. This audit log event was visible to the user that initiated the invitation and contained the IP address of the user that accepted the invitation. We addressed this by removing this event type from the user audit log. The event is still visible in the organization audit log, but no IP address information is disclosed.
200 pts
GitHub occasionaly lets users and organizations preview upcoming features through our early access program. For example, we recently used the early access program to preview Git LFS. @IonicaBizau identified and reported a bug that could allow an attacker to register another user for an early access feature. While we correctly restricted which organizations a user could register, we did not restrict which users could be registered. This was considered a low risk vulnerability since it did not directly allow an attacker any additional access to the user’s account (it only enabled new features for the registered user). We addressed this issue by ensuring a user can only register themselves, and organizations they administer, for early access features.
500 pts
While developing github-org-members.js, a JavaScript library to display the members of a GitHub organization, @IonicaBizau identified and reported a bug where the private members of an organization could be listed via the API using a scopeless OAuth token for a member of that organization. We addressed this by restricting the API to only return public members when accessed with a scopeless OAuth token.
