> Fourrier found GitGuardian had alerted the xAI employee about the exposed API key nearly two months ago — on March 2. But as of April 30, when GitGuardian directly alerted xAI’s security team to the exposure, the key was still valid and usable. xAI told GitGuardian to report the matter through its bug bounty program at HackerOne, but just a few hours later the repository containing the API key was removed from GitHub.
Having the security team redirect the report to the HackerOne program is wild.
At least someone had enough thought to eventually forward it to someone who could fix it.
What absolute incompetence. Not just on this dev, but any org with API keys ought to be scanning for leaked keys constantly. Failure of one and failure of many.
This has ruined many careers in the making. The DDOS attacks happened while this breach like hotspot was open. who do we contact if any of our studies are leaked out like a publicity stunt day in day out and the x.ai hasnt responded for months after stating concern and rogue like actions on different AI services. Do we post videos, make statements or just gather and share tips and insight?
Having the security team redirect the report to the HackerOne program is wild.
At least someone had enough thought to eventually forward it to someone who could fix it.