Not at that time though, right, considering it was dumped? You have changed since, which is good, but under a year ago had it as just an env var
How can you guarantee that nobody ripped the private key before the researcher told you about the issue though?
It is incredibly bad practice that their "become the github app as you desire" keys to the kingdom private key was just sitting in the environment variables. Anybody can get hacked, but that's just basic secrets…
Not at that time though, right, considering it was dumped? You have changed since, which is good, but under a year ago had it as just an env var
How can you guarantee that nobody ripped the private key before the researcher told you about the issue though?
It is incredibly bad practice that their "become the github app as you desire" keys to the kingdom private key was just sitting in the environment variables. Anybody can get hacked, but that's just basic secrets…