■■■■□ GitHub awards bug bounty hunter $25,000 for Actions secrets theft report.
Tracked as CVE-2021-22862, the security flaw is described as an improper access control vulnerability that “allowed an authenticated user with the ability to fork a repository to disclose Actions secrets for the parent repository of the fork”.
https://blog.teddykatz.com/2021/03/17/github-actions-write-access.html
https://portswigger.net/daily-swig/github-awards-bug-bounty-hunter-25-000-for-actions-secrets-theft-report
https://t.me/cKure/7337