> Fourrier found GitGuardian had alerted the xAI employee about the exposed API key nearly two months ago — on March 2. But as of April 30, when GitGuardian directly alerted xAI’s security team to the exposure, the key was still valid and usable. xAI told GitGuardian to report the matter through its bug bounty program at HackerOne, but just a few hours later the repository containing the API key was removed from GitHub.
Having the security team redirect the report to the HackerOne program is wild.
At least someone had enough thought to eventually forward it to someone who could fix it.
It's come up before. HackerOne is not intended as a replacement for a PSIRT front desk, but many companies use it as such. It looks like Paypal still does this, for example.
Contacted the support team, DOD and FBI... nothing done a month or two ago.. its sad. But when see that studies are now sci-fi flicks.. my heart broke a little while ago. Never mind that this was swept under the radar by the DDOS attacks. Classic Oceans15 movie in the making.
Having the security team redirect the report to the HackerOne program is wild.
At least someone had enough thought to eventually forward it to someone who could fix it.