8 comments

[ 2.9 ms ] story [ 13.6 ms ] thread
That report really under-sells the severity of the vulnerability, in form (just a forum post really? "Hey all," really?) and content.

Definitely check out Péter Szilágyi's twitter thread: https://twitter.com/peter_szilagyi/status/143764611870017536...

> No analysis, no security report, no post mortem, not warning any of their users that their secrets might have been stolen

If it wasn't clear before that everyone should get off travis (and it was), this should be the thing that makes it clear. This is not a trustworthy company anymore. Which is sad when they really used to be.

Private equity running it into the ground.

They posted this insanely embarrassing "security bulletin" yesterday as well: https://blog.travis-ci.com/2021-09-13-bulletin

> As a reminder from the Support Team, cycling your secrets is something that all users should do on a regular basis per your company’s security process. If you are unsure how to do this please contact Support and we would be happy to help you.

...and that's it. That's the full "bulletin."

I audibly said "no way" when I read your last sentence.

Wow, this is bad.