Vulnerability Disclosure Program?

[mrthankyou]

Customers Version: N/A

What were you trying to do?
I'm trying to determine where your vulnerability disclosure program is for your open-sourced projects on Github.

What did you expect to see?
It would be nice if you had a security.txt file in your repo for white-hat security researchers to know where to submit security bugs.

What did you see?
N/A

How can we reproduce the problem?
N/A

[adamdecaf]

Can you reach out to security@moov.io? We'll get the OSS projects to clarify the problem. Thanks!

[mrthankyou]

I've reached out to them. Hopefully they can provide more info. Thanks for the help!

[adamdecaf]

Thanks for making a white-hat report! There doesn't seem to be anything here related to the issue I'm going to reply with what I found.

This article talks about how forks can PR and get the generated GITHUB_TOKEN, which isn't great.
https://sites.google.com/securifyinc.com/secblogs/hacking-github-actions

However, this token only has read access during forked PR builds. There's a risk of extra data being leaked, but there doesn't seem to be a full take over possibility. This would be a huge problem for GitHub as thousands of repositories use GITHUB_TOKEN in their Actions jobs.
https://docs.github.com/en/free-pro-team@latest/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token

For PR's from forks no other secrets are presented to that instance.
https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets#using-encrypted-secrets-in-a-workflow

With the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository.

We've verified this with the following PR as well.

See: #232

Thanks again for the responsible disclosure!