Hacker News new | ask | show | jobs
by dundarious 1461 days ago
It seems like the appropriate thing to do would be to inform anyone who had tokens created during the affected time period, so they could assess if any of the permissions led to undesired changes. Instead of GitHub saying “we don’t have hard proof of anything bad happening” and waiting 3 months, just give the customer the time of relevant token creations.
1 comments
smarx007 1461 days ago
The email listed the apps that issued tokens in the specified time window. If your notification email listed 0 apps, it means no apps created tokens during the time window in question (I got 1 app listed). I only missed that those tokens had 1h lifetime.
link
dundarious 1461 days ago
Listing token times instead of just apps, and doing so nearer the actual time instead of 3 months later, are the key parts of my suggestion.
link