David Gerardfucking lol. remember the rick astley attack on github copilot? same guy's found another one https://www.legitsecurity.com/blog/camoleak-critical-github-copilot-vulnerability-leaks-private-source-code (fixed 14 aug)
EDIT: gitlab, not github sorry!
⬡-49016 
@davidgerard fun fact! they have been aware of this vuln since may, the report above is a duplicate. original finder of the vuln here lol
(yes, they seriously consider a LLM leaking your private repo contents as a "low risk issue")
@davidgerard (and yes, the $1k bounty is a bit low, considering that they advertise $10,000 - $20,000 for "High severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access." on hackerone, especially considering that they pay $4k for leaking just the username of the current user or $10k for other private repo content leaks. their response to asking why the bounty is so low is months of ghosting 🙃)
GitHub disclosed on HackerOne: Information Leakage via Clicked Link...
An information disclosure vulnerability was identified in GitHub Enterprise Server via attacker uploaded asset URL allowing the attacker to retrieve metadata information of a user who clicks on the URL and further exploit it to create a convincing phishing page. This required the attacker to upload malicious SVG files and phish a victim user to click on that uploaded asset URL. This...
@49016 lol holy shit, added that to the blog post