> it'd be awesome if the in-browser IDE launched with a temporary per-repo permission scope

ammar2 • today at 3:38 AM • 1 reply • view on HN

That's actually exactly what they do for codespaces. The token only has read/write on the repo you activated for the codespace [1]. They should definitely consider doing that for github.dev as well.

[1] https://orca.security/resources/blog/hacking-github-codespac...

Replies

itopaloglu83 • today at 9:06 AM

Or they could’ve kept their bounty program running smoothly. But instead they pissed off another security researcher and received a zero days heads-up before public disclosure.

➕ show 1 reply

alt Hacker News

Replies