Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Hi, this is a small security issue I found. I have already reported this to github.


http://vikraman.org/posts/2013/12/1/linux-ng.html

I shouldn't disclose how this was done until it is fixed. It seems github is unhappy with how this turned out, but I hope they fix it soon. I have already written a personal apology to Linus, and also, apologies if I have offended anyone else.


GitHub has its own responsible disclosure policy (which they setup after their last hack)[1]. This is what they say about it:

>We consider correspondence sent to security@github.com our highest priority, and work to address any issues that arise as quickly as possible.

[1]: https://help.github.com/articles/responsible-disclosure-of-s...


Why not just disclose it responsibly to github without using it on other people's accounts?


It seems he did but they didn't show interest (according to the comment of zaph0d on this page).


"Look, I can create a commit with someone elses e-mail address, and GitHub will think it was actually theirs!"

Of course, the question is: is there any way to prevent this in a simple way? Given anyone can push the final commit, you would need some sort of commit signing, but that sounds more pain than it's really worth.


Oh true. What kind of issue, XSS or something else? (just generically, not specifics)


Not XSS. I will disclose more once it is fixed.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: