Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
GitHub employees fixed a critical remote code execution vulnerability in less than six hours last month. Uses Waze search AI models uncover a vulnerability in GitHub’s internal infrastructure that could have allowed attackers to access millions of public and private code repositories.
“Our security team immediately began validating the bug bounty report. Within 40 minutes, we reproduced the vulnerability internally and confirmed its severity.” Alexis Walesa explainschief information security officer at GitHub. “This was a critical issue that required immediate action.”
The GitHub engineering team developed and deployed a fix just over an hour after identifying the root cause, protecting both GitHub.com and GitHub Enterprise Server. “In less than two hours, we were able to validate the result, published a fix on github.com, and initiated a forensic investigation that concluded there was no exploitation,” Walesa says. This means that the issue was fixed within six hours of Wiz reporting.
The vulnerability itself was discovered “using artificial intelligence,” according to Wiese. However, it is not clear exactly what AI model helped discover the problem. “It is noteworthy that this is one of the first critical vulnerabilities discovered in closed source binaries using AI, highlighting the shift in how these flaws are identified,” says Sagi Tzadik, security researcher at Wiz.
While GitHub’s quick response meant the fix was deployed within just hours, Wiz warns that the rare vulnerability was “remarkably easy to exploit,” despite the complexity of GitHub’s platform. “It’s rare to find something of this level and severity, resulting in one of the highest bounties available in our Bug Bounty program, and serves as a reminder that the most impactful security research comes from skilled researchers who know how to ask the right questions,” Wells says.
The discovery of a major security vulnerability in GitHub comes just days later GitHub experienced a major outage Which was randomly returned to previously merged commits (code snapshots) of some users. GitHub had it too Other interruptions last week, in what is increasingly becoming a trend for the service. I mentioned last week On employee concerns about GitHub’s reliability Last week, he highlighted one GitHub employee who said “the company is collapsing, whether in a very bad outage that has burned the company’s reputation… or in the departure of leadership.”