Try GitHub Copilot CLIAttend GitHub Universe
Back to changelog
Improvement

March 2, 20211 Minute Read

REST API Maintainer Fork Collaboration Access Changes

​We changed the REST API authorization logic for maintainer fork collaborators to address an improper write access control bug identified by an independent bug bounty researcher. Under certain circumstances, this bug could have allowed unauthorized commits to be merged without further review or validation. This change impacts the following:

  • Prior to December 2020, any forkable repository.
  • After December 2020, only forkable repositories which are themselves forks of other repositories.

At this time there is no evidence to suggest that this bug was exploited to compromise GitHub.

GitHub recommends the use of branch protections for important branches. The use of branch protections, such as required pull request reviews or status checks, where it was enforced prevented unauthorized commits from being merged without further review or validation.

Learn more about branch protection settings

If you have additional questions please contact us

Subscribe to our developer newsletter

Discover tips, technical guides, and best practices in our biweekly newsletter just for devs.

By submitting, I agree to let GitHub and its affiliates use my information for personalized communications, targeted advertising, and campaign effectiveness. See the GitHub Privacy Statement for more details.

REST API Maintainer Fork Collaboration Access Changes - GitHub Changelog