Security Incident: Node Security API
Wednesday afternoon we put a new version of the Node Security API in place to allow for some new and exciting features in the future.
This morning Dan Silivestru, CEO of BitHound, notified us that they saw a couple of advisories that were available publicly but were incomplete information wise.
We investigated and found a flaw in our API, specifically related to authorization that allowed access to non public advisories. This case was also not checked with our test suite, despite having 100% code coverage. It's an embarrassing reminder that even with diligent development practices, code coverage and peer reviews, things get missed and vulnerabilities find their way in.
Both of the advisories that were exposed contained information that is currently public, but we just haven't finished writing up the advisories yet. Those should be out this next week.
Additionally we reviewed our advisory access logs and found that nobody other than BitHound and ^Lift employees accessed those advisories.
We believe that we can do better when it comes to being stewards of this information to ensure that it remains private when it needs to be before the embargo date to ensure that no unnecessary vulnerability is created.