Wait a minute.
People who have "API-keys and secrets" in their code?
Note to self: Really sorry to have missed out on that investment.
A bounty-hunter has gone public with a complete howler made by Vine, the six-second-video-loop app Twitter acquired in 2012. According to this post by @avicoder (Vjex at GitHub), Vine's source code was for a while available on what was supposed to be a private Docker registry. While docker.vineapp.com, hosted at Amazon, wasn' …
" Even if they weren't in the image they would have to be available to the image, and in this case you'd have full control over it. "
I suppose that could be fixed by putting the keys and secrets into a shared DB table so that you'd at least need access to the their private network, maybe authenticate using a certificate for additional security. Plus would make it easier to update the keys if they got leaked, or just changing them routinely as procedure.
It was closed within 5 minutes of him notifying them - who knows how long it was open for.
And presumably, since this all happened 4 months ago (meaning by now the source code is likely out of date, and keys were presumably changed asap after discovery), and since this is the first time I've seen it reported, you'd have to assume no real damage was done.
Which means the bug bounty worked as planned.