“Our security team immediately began validating the bug bounty report. Within 40 minutes, we had reproduced the vulnerability internally and confirmed the severity,” explains Alexis Wales, GitHub chief information security officer. “This was a critical issue that required immediate action.”

GitHub’s engineering team developed a fix and deployed it just over an hour after identifying the root cause, protecting both GitHub.com and GitHub Enterprise Server. “In less than two hours we had validated the finding, deployed a fix to github.com, and begun a forensic investigation that concluded there was no exploitation,” says Wales. This meant the issue was fixed within six hours of the report from Wiz.

The vulnerability itself was discovered “using AI,” according to Wiz. It’s not clear exactly what AI model helped find the issue, though. “Notably, this is one of the first critical vulnerabilities discovered in closed-source binaries using AI, highlighting a shift in how these flaws are identified,” says Sagi Tzadik, a security researcher at Wiz.

While GitHub’s rapid response meant a fix was deployed in just hours, Wiz warns that the rare vulnerability was “remarkably easy to exploit,” despite how complex GitHub’s underlying system is. “A finding of this caliber and severity is rare, earning one of the highest rewards available in our Bug Bounty program, and serves as a reminder that the most impactful security research comes from skilled researchers who know how to ask the right questions,” says Wales.