@michenriksen reported a potential denial-of-service on GitHub.com’s hook delivery service. A hook could be created to callback to GitHub API endpoints which could subsequently re-trigger the same hook delivery. After investigation, we determined that the likelihood of this impacting GitHub’s availability was low due to API rate-limiting and the architecture of our hook delivery backend. However, we still took this issue seriously and addressed the behavior by restricting GitHub hooks from making requests back to GitHub.com endpoints.
@michenriksen reported a vulnerability that we had identified internally and previously fixed. The vulnerability was still present in our production environment due to a bug in our automated deployment of code. We addressed the bug in our deployment process to prevent similar accidents from happening in the future.