[oliwarner]

I'm not sure private disclosure is appropriate here.

This isn't the same as a browser vulnerability where some kid could hack a load of people before they patched. One of these supposedly trusted companies could attack your customers... But they could already. They know their scripts get loaded into all sorts of inappropriate environments.

Getting people notified, getting credentials changed. That's the paramount concern. You can rub PR lotion into an in-depth audit later on.

[ejcx]

This reaction is nonsense. These are all vendors that circle pays.

It's an industry wide bad practice and a risk, but forcing password changes or notifying people is quite frankly ridiculous.

[oliwarner]

I didn't suggest forcing anything... But just because other people do it doesn't make it better.

Many of their clients may treat this as they would an actual breach. It's somebody they haven't vetted having potentially complete access to their development chain and production secrets. They won't know until they look. They won't look until they're told.

And what's CircleCI paying a for this breach got to do with the price of fish?! Say you hired me and gave me full access to everything in your business. Then one day I turn around and tell you my extended family, my friends, my dog walker and my cleaner have all also had access to that data. No big problem eh?

[jlmorton]

This practice is allowed by industry security standards, like PCI-DSS. If it's determined that the third-party acts as a PCI Service Provider, then the compliant party has a duty to determine that the third-party is also compliant.

The client vetted CircleCI, and CircleCI presumably vetted the third parties. It is not fair to say these vendors have not been vetted.

It may not be a best practice, but it's little different than CircleCI (or any other company) contracting with a private data center, which has direct physical access to their equipment. They have presumably vetted the data center provider, or cloud computing vendor.

[ejcx]

There is absolutely no breach here. Absolutely not. Suggesting so is ridiculous. The word breach is a very special one and this is not it.

[oliwarner]

I think you're the one being more reckless with language here. But please, what does "breach" mean to you?

I count it as "inappropriate and unauthorised access to data". Where "access" is potential, not necessarily actual unless you can absolutely prove there was no access.

These third parties have had access to sensitive data they shouldn't. That's a breach in my book.

Neither you or Circle CI even can say this hasn't lead to current or past third parties —or their rogue developers, or people who have hacked them— gaining source access or customer data from Circle CI users. Why? You simply don't know what was running at any given point.

Auditing and sub-resource integrity would help in the future, but it's too late. Unknown people have had access. Only the Circle CI users will know what ramifications that could have on them.

If your argument is anything more than a redefinition of "breach", please explain why you're being so nonchalant (and why you think I'm being "ridiculous") about this.