GitHub CLI is an open source command line tool for working with your GitHub.com account. It is built with Golang, and performs several GitHub.com commands from your terminal, such as viewing, commenting and performing other actions on issues and PRs.
Even if the issue you identified is out-of-scope and ineligible for our bounty program, we encourage you to open an issue upstream. Please see our severity guidelines for more information about how severities are calculated.
- Code execution without user interaction such as when cloning or fetching malicious repositories
- Code execution that requires minimal, expected user interaction, such as performing actions on a repository that a user would not expect to lead to code execution
- Leakage of credentials to an external attacker without access to the local system
Out of scope
- Code execution requiring social-engineering or unlikely user interaction is typically not eligible for rewards.
- Vulnerabilities which require local system access, such as local credential storage issues, etc.
Recently collected GitHub CLI bounties:
No vulnerabilities have been reported yet. Yours can be the first!