Earlier today I discovered that, due to a vulnerability with Github Enterprise, I still had access to resources at my former company that I really shouldn’t have. After reporting it to those guys so they could lock it down on their end, I reached out to Github themselves so they could repair it on their end and push out a fix to their own customers.
Their response was that they didn’t care. I received a form letter stating that they were “aware of this and similar issues”, and that they’d be working on improving it in the future.
Sometime this weekend I am going to be writing a blog post describing how former employers of a company can access the repositories and data inside Github Enterprise installations, because apparently Github as a company gives no fucks and it’s public disclosure time.
If anyone knows anyone at Github who might actually take this seriously please feel free to send them my way. I would much rather do this the proper way if possible.