@bureado identified that endpoints intended to be restricted to the
github.com domain were accessible using the
gist.github.com host. This allowed authentication cookies for Gist to be used to access functionality on GitHub.com. We addressed this issue by limiting the routing of requests made to the
@bureado earned an additional 1000 points for donating their bounty to a great cause — Washington State Council of Fire Fighters (WSCFF) Burn Foundation . GitHub matches all bounties donated to 501(c)(3) organizations.