GitHub patched a critical remote code execution vulnerability in less than six hours last month after security researchers flagged it through the company’s bug bounty program. The flaw, discovered in GitHub’s internal git infrastructure, could have allowed attackers to access millions of public and private code repositories.
The vulnerability was uncovered by Wiz Research using AI models — making it, according to Wiz security researcher Sagi Tzadik, “one of the first critical vulnerabilities discovered in closed-source binaries using AI.” The specific AI model used was not disclosed.
GitHub’s response was swift. “Within 40 minutes, we had reproduced the vulnerability internally and confirmed the severity,” said Alexis Wales, GitHub’s chief information security officer. The engineering team identified the root cause, developed a fix, and deployed it to GitHub.com in under two hours. A forensic investigation that followed concluded there had been no exploitation of the vulnerability. The fix was also applied to GitHub Enterprise Server.
Despite the fast resolution, Wiz warned that the vulnerability was “remarkably easy to exploit” given the complexity of GitHub’s underlying systems. Wales described it as a rare finding that earned “one of the highest rewards available” in GitHub’s bug bounty program.
The disclosure comes at a turbulent time for the platform. Just days before the vulnerability was reported, GitHub experienced a significant outage that randomly reverted previously merged commits for some users, and additional outages occurred in the same week. GitHub employees have raised concerns about the service’s reliability, with one employee quoted as saying “the company is collapsing, both in outages that are reallllly bad and have torched the company reputation… and in an exodus of leadership.”
Source: The Verge