Reply to post:

Compsci student walks off with $50,000 after bug bounty report blows gaping hole in Shopify software repos

DevOpsTimothyC Bronze badge

It's something GitHub really need to address. There are a lot of tokens out there, it's pure luck that there haven't been more incidents.

It's really easy to address in GH. Require your dev's to access GH via corporate SSO and not via their personal logins.

Granted it will annoy alot of developers having to auth to github via their org rather than with personal credentials, but it's not GH's fault that many org's allow access via accounts they do not control and have not locked down

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021