March 23, 2021 at 11:27PM

■■■■□ GitHub awards bug bounty hunter $25,000 for Actions secrets theft report.

Tracked as CVE-2021-22862, the security flaw is described as an improper access control vulnerability that “allowed an authenticated user with the ability to fork a repository to disclose Actions secrets for the parent repository of the fork”.

https://blog.teddykatz.com/2021/03/17/github-actions-write-access.html

https://portswigger.net/daily-swig/github-awards-bug-bounty-hunter-25-000-for-actions-secrets-theft-report

https://t.me/cKure/7337