GitHub, Inc. uses a mix of our own physical infrastructure, cloud platforms and third-party services to keep everything running smoothly. Keeping credentials and access tokens secure for these resources is paramount to the security of our employees and users.
Please review our guidance for handling PII before investigating credentials allowing access to GitHub, Inc resources. The reward amount is based on the impact of the leaked credential which will be determined by the GitHub Security team.
GitHub’s Token Scanning feature automatically detects credentials accidentally committed to repositories for a number of service providers. Credentials for GitHub, Inc resources that have already been found via this feature are ineligible for reward.
|1||2500 pts Adam Baldwin GitHub employee GitHub.com tokens exposed via NPM package|
|2||2500 pts Adam Baldwin NPM token for Electron exposed|
|3||2500 pts kyprizel Credentials disclosed in source code|
|4||1000 pts Koen Rouwhorst World-readable S3 bucket|