[DrJokepu]

I'm no security expert but I'm not sure if I get it - assuming that your code is well written, how would exposing the source code and change history make it more vulnerable? By using this logic, every piece of open source software is "vulnerable". Security through obscurity is not really security.

I thought not checking in safety critical things such as passwords or keys into the repository tree is a standard practice. If it's not, it should be.

[maurycy]

It depends on what the threat is.

If the threat is finding vulnerability, then you are right. If the threat is leaking the source code to the competition, then it is a serious matter.

Also, keep in mind the deployed source code is different than just the source code; it usually contains things like the database credentials and such.

[DrJokepu]

Of course, but the "vulnerability" in this article was about the source code in the repository tree, not the deployed one. Also, I believe that database credentials should be stored in external configuration files (which, of course, shouldn't be browsable) so if they do an update, they don't have to add the credentials again.

About leaking the source: Yes, that could definitely be a problem, I agree, but I'm not sure if this can be considered as a vulnerability, more like carelessness on the part of the admin of the site.