Comment by pwdisswordfishy

8 hours ago

That's just a tautology.

"If the secrets issuer partners with X-corp for secret scanning so that secrets get invalidated when you X them, then when you X them the secrets will be invalidated".

The above is a true statement for all X.

10 comments

pwdisswordfishy

Reply
nightpool  8 hours ago

? Yes? Toomuchtodo is reminding the author (and other commenters), that github gists are one way to make sure secrets are secured / remediated before making a public post like this. Maybe not the most responsible whitehat action, but I can see it being useful in some cases where outreach is impractical / has failed.

Unfortunately, it doesn't look like Algolia has implemented this

  • TurdF3rguson  7 hours ago

    I'm not following this at all. It seems like OP is saying if you share a secret in your (private?) gist and give Algolia permission to read the gist, they will invalidate it. But why would the secret be in a gist and not a repo? Also if you're aware enough to add that partner it seems you're aware to not do dumb things like that in the first place.

    • richbell  7 hours ago

      If you find an exposed token in the wild, for a service supported by GitHub Secret Scanning, uploading it to a Gist will either immediately revoke it or notify the owner.

      1 reply →

wat10000  8 hours ago

English is not formal logic.

In formal logic, that statement is true whether X is GitHub, or Lockheed-Martin, Safeway, or the local hardware store.

In English, the statement serves to inform (or remind) you that GitHub has a secret scanning program that many providers actually do partner with.

  • pwdisswordfishy  7 hours ago

    Yes, and in the real world where Grice's Maxim of Relevance is in force, then when the secrets issuer that is the subject of the discussion isn't one of those partners, then an informative "reminder" that GitHub "has a secret scanning program" with a bunch of other partners is not actually informative. It's as superfluous and unhelpful as calling to let someone know you're not interested in the item they've posted for sale on Craiglist (<https://www.youtube.com/watch?v=xWG3jKzKcm8>).

    • wat10000  7 hours ago

      It's more useful than telling someone that their statement is a tautology in formal logic.

    • richbell  7 hours ago

      How is reminding people that they can safely revoke exposed API keys not informative? Why are you being so combative?