@s-rah observed that users could save an arbitrary email address to their profile. This could have allowed an attacker to perform a social engineering attack by adding an email address to their profile that belonged to another user. When a user adds a collaborator to a repository they can find them by their username or their profile email address. As a result, by registering an email address of another user, an attacker may have been able to confuse the repository owner and have caused them to add the attacker’s account as a collaborator. We remediated this issue by requiring a verified email address for future updates to a user’s profile email address.
@s-rah earned an additional 500 points for donating their bounty to a great cause — The Tor Project. GitHub matches all bounties donated to 501(c)(3) organizations.