BREAKINGVERIFIEDBy Xavier Rivera· ·1 min read
GitHub patches critical RCE vuln in under 6 hours
Wiz Research discovered a critical remote code execution vulnerability in GitHub’s git infrastructure using AI models. GitHub validated, fixed, and confirmed no exploitation within six hours of the bug bounty report.
Source:The Verge
TL;DRAI · 60 sec read
GitHub employees fixed a critical remote code execution vulnerability in less than six hours last month. Wiz Research used AI models to uncover the flaw in GitHub’s internal git infrastructure, which could have allowed attackers to access millions of public and private code repositories.
“Our security team immediately began validating the bug bounty report. Within 40 minutes, we had reproduced the vulnerability internally and confirmed the severity,” explains Alexis Wales, GitHub chief information security officer. “This was a critical issue that required immediate action.”
GitHub’s engineering team developed a fix and deployed it just over an hour after identifying the root cause, protecting both GitHub.com and GitHub Enterprise Server. “In less than two hours we had validated the finding, deployed a fix to github.com, and begun a forensic investigation that concluded there was no exploitation,” says Wales.
The vulnerability was discovered “using AI,” according to Wiz. “Notably, this is one of the first critical vulnerabilities discovered in closed-source binaries using AI, highlighting a shift in how these flaws are identified,” says Sagi Tzadik, a security researcher at Wiz. Wiz warns the rare vulnerability was “remarkably easy to exploit.”
The finding earned one of the highest rewards in GitHub’s Bug Bounty program, says Wales.
“Our security team immediately began validating the bug bounty report. Within 40 minutes, we had reproduced the vulnerability internally and confirmed the severity,” explains Alexis Wales, GitHub chief information security officer. “This was a critical issue that required immediate action.”
GitHub’s engineering team developed a fix and deployed it just over an hour after identifying the root cause, protecting both GitHub.com and GitHub Enterprise Server. “In less than two hours we had validated the finding, deployed a fix to github.com, and begun a forensic investigation that concluded there was no exploitation,” says Wales.
The vulnerability was discovered “using AI,” according to Wiz. “Notably, this is one of the first critical vulnerabilities discovered in closed-source binaries using AI, highlighting a shift in how these flaws are identified,” says Sagi Tzadik, a security researcher at Wiz. Wiz warns the rare vulnerability was “remarkably easy to exploit.”
The finding earned one of the highest rewards in GitHub’s Bug Bounty program, says Wales.
HELP US IMPROVE
Reader-supported
The Circuitry is a passion project I've always wanted to build, and I love the work behind it.
Running it costs real money. APIs, hosting, time. To keep improving the site and growing this into something useful for everyone, those costs have to be covered.
Any contribution is appreciated. If not, no pressure. Thanks for reading.
EXPERT TAKE
GitHub's sub-six-hour response time sets a benchmark for enterprise cloud security incident handling.