We changed the REST API authorization logic for maintainer fork collaborators to address an improper write access control bug identified by an independent bug bounty researcher. Under certain circumstances, this bug could have allowed unauthorized commits to be merged without further review or validation. This change impacts the following:
- Prior to December 2020, any forkable repository.
- After December 2020, only forkable repositories which are themselves forks of other repositories.
At this time there is no evidence to suggest that this bug was exploited to compromise GitHub.
GitHub recommends the use of branch protections for important branches. The use of branch protections, such as required pull request reviews or status checks, where it was enforced prevented unauthorized commits from being merged without further review or validation.
Learn more about branch protection settings
If you have additional questions please contact us