5,000 pts
@koenrh reported that an attacker could register arbitrary subdomains of github.io and githubusercontent.com via our content delivery network (CDN). This could be used to serve malicious content from these domains or steal another user’s GitHub Pages domain.
In working with our CDN, we learned that they were treating any domain on the Public Suffix List as a “service provider.” They quickly responded to our request and removed GitHub domains from their list of service providers. We have verified that subdomains of GitHub domains can no longer be registered with our CDN.
1,000 pts
@koenrh reported that the index on one of our S3 buckets was world-readable. An attacker could have used this to download internal GitHub infrastructure graphs. The information exposed was limited and introduced minimal risk to GitHub. We addressed this issue by updating the configuration for this S3 bucket.
@koenrh earned an additional 500 points for donating their bounty to a great cause — the Tor Project. GitHub matches all bounties donated to 501(c)(3) organizations.
