500 pts
@bitquark reported a stored XSS vulnerability within GeoJSON rendering on render.github.com.
While exploitation of this vulnerability was limited to a sandboxed domain, we still took the threat seriously. We addressed the behavior by properly escaping user-controlled input.
1,200 pts
@bitquark reported a bug where we were not sending the Content Security Policy header in responses when the request included specific parameters. The CSP header is an important security feature supported by modern browsers to significantly mitigate the risk of XSS.
We addressed this issue by ensuring the correct security headers are set on all responses.
400 pts
@bitquark reported a low-risk open redirect on GitHub.com. Rails code such as redirect_to :back could be exploited to redirect a user to an arbitrary location if they were first forwarded to GitHub via a malicious site.
We addressed the behavior by limiting the locations passed via Referer headers that we allow to be used for redirection.
500 pts
@bitquark reported a reflected XSS vulnerability within GeoJSON rendering on render.github.com. While exploitation of this vulnerability was limited to a sandboxed domain, we still took the threat seriously. We addressed the behavior by properly escaping user-controlled input.
200 pts
@bitquark reported a reflected self-XSS vulnerability that existed within our organization creation page. If the organizaton name contained HTML markup and the submitted coupon code was invalid, the unescaped organization name was used in the response.
While this was a reflected self-XSS vulnerability that was also mitigated by our use of CSP, we still took the threat seriously. We addressed the behavior by properly escaping the organization name. In addition, we refactored the shared template logic to reduce the chance that a similar vulnerability will occur elsewhere.
800 pts
@bitquark reported a bug where a page listing the members of a team could be viewed by users who were not members of the organization. We addressed this by adding the missing authorization check on this page.
