I found and reported this vulnerability with @ginkoid. This was actually the first report that paid out for me on HackerOne. At $35,000, it’s also the highest bounty I’ve received so far from HackerOne (and I believe the highest GitHub has paid out to date). A lot of bugs seem to be a mix of both luck and intuition. In this blog post, I’ll illustrate my thought processes in approaching such a targ
![Breaking GitHub Private Pages for $35k](https://cdn-ak-scissors.b.st-hatena.com/image/square/335f6d4bac1ce1e5bb56a3c09e4be690bc7e9305/height=288;version=1;width=512/https%3A%2F%2Frobertchen.cc%2Fghost.png)