| ▲ | curuinor 6 days ago | |||||||
CodeRabbit response - https://www.coderabbit.ai/blog/our-response-to-the-january-2... | ||||||||
| ▲ | marksomnian 6 days ago | parent | next [-] | |||||||
If I were a CodeRabbit customer, I'd still be pretty concerned after reading that. How can CodeRabbit be certain that the GitHub App key was not exfiltrated and used to sign malicious tokens for customer repos (or even used for that in-situ)? I'm not sure if GitHub supports restricting the source IPs of API requests, but if it does, it'd be a trivial mitigation - and one that is absent from the blog post. The claim that "no malicious activity occurred" implies that they audited the activities of every repo that used Rubocop (or any other potential unsandboxed tool) from the point that support was added for it until the point that the vulnerability was fixed. That's a big claim. And why only publish this now, when the Kudelski article makes it to the top of HN, over six months after it was disclosed to them? | ||||||||
| ▲ | jatins 6 days ago | parent | prev | next [-] | |||||||
> No customer data was accessed and the vulnerability was quickly remediated within hours of disclosure How do they know this -- Do they have any audit logs confirming this? A malicious actor could have been using this for months for all they know | ||||||||
| ||||||||
| ▲ | 5 days ago | parent | prev [-] | |||||||
| [deleted] | ||||||||