Comment by ammar2
15 hours ago
> it'd be awesome if the in-browser IDE launched with a temporary per-repo permission scope
That's actually exactly what they do for codespaces. The token only has read/write on the repo you activated for the codespace [1]. They should definitely consider doing that for github.dev as well.
[1] https://orca.security/resources/blog/hacking-github-codespac...
Or they could’ve kept their bounty program running smoothly. But instead they pissed off another security researcher and received a zero days heads-up before public disclosure.
There is no excuse. GitHub runs a great program on HackerOne and it should just have been submitted there.
Also note that the person who found this was pissed because they had a difficult experience with submitting a bug for VSCode THREE YEARS AGO through MSRC which is _completely different_ than the GitHub H1 program and no doubt much more challenging with a different experience.
There is really no excuse for this irresponsible disclosure. They could have at least tried instead of holding a grudge for three years.