[_7gt4]

My recent experience with GitHub regarding a security issue was not very positive either.[1] It turned out, unlike two vendors I notified that were affected, they just didn't care. And they didn't bother to even tell me that they didn't care.

It's a very edge-case issue in Enterprise SSO, so I wasn't really able to generate any blowback with disclosure either. But if you find an org with just the right setup it blows a huge hole into the SSO product, to the point of making it useless.

There also seems to be an asymmetry between the core product and everything else. GitHub Enterprise has issues that aren't even considered UX issues (i.e. notifications showing "3 of 0" notifications if no SAML session exists) that'd warrant bounties if they were in the core product.

[1]: https://notes.acuteaura.net/posts/github-enterprise-security...

[captn3m0]

How is tailscale mitigating this? They can’t enforce GitHub SAML at their end, right?

[_7gt4]

The membership API returns a 403 if no SAML session exists. Check the remedy section of the post.

This was an accidental find and GitHub has refused to document it.

[throwaway78246]

My guess is that GitHub ignores issues so they don't have to pay out bug bounties.

[onphonenow]

I find these takes so silly. Bug bunties are a rounding error in the companies budgets, even if they paid out much more freely. There are many I think much more obvious reasons orgs are slow on issues - everything from figuring what is an issue, trying to chase down impacts and more.

[_7gt4]

I think it's not a matter of not wanting to pay, but not wanting to have your departments "we had to pay someone to fix your security bugs" metric go up.

That's also likely why issues in the core product are taken more seriously.