GitHub rejected two formal vulnerability reports identifying design flaws that researchers say are enabling variants of the Shai-Hulud supply-chain worm to infect and compromise hundreds of software packages and developer accounts worldwide.

  • Sinonatrix [comrade/them]@hexbear.net
    link
    fedilink
    English
    arrow-up
    2
    ·
    25 days ago

    I hate sitting out a github bash but they’re entirely right and neither of those are vulnerabilities, HackerOne isn’t for arguing over design

    Important projects should use signed commits and there should be a giant red flag raised when repositories are force pushed IMO but those are two different issues, neither of which can be cashed in for a bug bounty