Skip to content

REST API Maintainer Fork Collaboration Access Changes

​We changed the REST API authorization logic for maintainer fork collaborators to address an improper write access control bug identified by an independent bug bounty researcher. Under certain circumstances, this bug could have allowed unauthorized commits to be merged without further review or validation. This change impacts the following:

  • Prior to December 2020, any forkable repository.
  • After December 2020, only forkable repositories which are themselves forks of other repositories.

At this time there is no evidence to suggest that this bug was exploited to compromise GitHub.

GitHub recommends the use of branch protections for important branches. The use of branch protections, such as required pull request reviews or status checks, where it was enforced prevented unauthorized commits from being merged without further review or validation.

Learn more about branch protection settings

If you have additional questions please contact us

Since changing the behavior of the assignee control to speed up assigning users, we’ve made a few updates based on your feedback. Now when there are less than 30 possible assignees, the assignees control will list all potential users rather than a limited set of suggestions to make it easier for people in small organizations to find the right user.

Type ahead searching for assignees and the new result ranking are also now available on the GitHub mobile app.

Learn more about assigning users to issues and pull requests

See more

GitHub app for Microsoft Teams is now generally available. With this release, we have added the following additional features:

  • Personal Chat notifications.
  • Schedule reminders for pending pull requests in your channels and personal chat.

Read more about GitHub app for Microsoft Teams.

See more