AI-powered code documentation firm Mintlify says customer GitHub tokens were compromised in a data breach caused by a vulnerability in its systems, prompting it to launch a bug bounty program.
Mintlify helps developers generate code documentation. It requires access to the source code, such as GitHub repositories, to analyze it, understand its purpose, and create descriptions.
In an incident notice on its website, the San Francisco-based company says that 91 customer tokens were exposed in a data breach identified on March 1, when it received a report of the issue and discovered unauthorized requests to its servers.
“We noticed that some of these requests targeted sensitive API endpoints and were successful in their attempts. This unusual activity indicated that the actor behind these requests had possession of our private admin access tokens, granting them unauthorized access to our endpoints,” Mintlify says.
After learning that a customer’s repository was accessed using GitHub tokens stored in its database, the company revoked all GitHub token access, rotated administrative access tokens, and hardened the security of its APIs.
“We’ve detected from our logs that 91 GitHub tokens were compromised. The users have been notified, and we’re working with GitHub to identify whether the tokens were used to access private repositories,” Mintlify says.
Mintlify also says that it worked with a bug bounty reporter to address the underlying vulnerability, that it revoked all access tokens again on March 2, and that it is working with cybersecurity firms to investigate the incident and improve its security stance.
It’s unclear if the individual who reported the vulnerability is the one who exploited the flaw. Some ‘bug bounty hunters’ are known to use aggressive tactics, which include exploitation of a bug for what could be interpreted as malicious purposes, to ensure they receive a reward.
To make it easier for security researchers to report vulnerabilities, the company has launched a bug bounty program covering mintlify.com, dashboard.mintlify.com, leaves.mintlify.com, and the Mintlify GitHub apps.
Interested researchers should send vulnerability reports to ‘security @ mintlify.com’. The reports should contain a description of the bug, steps to reproduce, details on the used environment, and proof-of-concept code if possible.
Previously unidentified vulnerabilities with a CVSS score of 4 or higher are guaranteed to receive financial compensation, the company says. Additional information can be found on Mintlify’s responsible disclosure page.
Related: Mercedes Source Code Exposed by Leaked GitHub Token
Related: Major Organizations Using ‘Hugging Face’ AI Tools Put at Risk by Leaked API Tokens
Related: Sourcegraph Discloses Data Breach Following Access Token Leak
