GitHub rejected two formal vulnerability reports identifying design flaws that researchers say are enabling variants of the Shai-Hulud supply-chain worm to infect and compromise hundreds of software packages and developer accounts worldwide.
I hate sitting out a github bash but they’re entirely right and neither of those are vulnerabilities, HackerOne isn’t for arguing over design
Important projects should use signed commits and there should be a giant red flag raised when repositories are force pushed IMO but those are two different issues, neither of which can be cashed in for a bug bounty
inari@piefed.zip 15 hours ago
Microslop truly ruins everything they touch