5 comments

[ 3.1 ms ] story [ 24.3 ms ] thread
Any relation to inability to trigger GCP build using public org repository?
Companies don't generally send out notifications like this for bug bounty reports or pentesting engagements - kind of implies that they found it being exploited in the wild.
My comments from the other thread: https://news.ycombinator.com/item?id=15963787

Very interesting. I wonder if any private organisations setup a pseudo/canary repositories, that when pulled triggered an alarm? Or simply contained some monitored API keys or credentials to spot any activity/Insider threats.

Might be a neat idea for those businesses that are concerned about their private repos (either cloud hosted or self hosted).

May have picked up if anyone was able to exploit this.