Skip to content

[Security Research] Authorized bug bounty PRT verification — ddf955b8#77

Draft
fitzpr wants to merge 1 commit into
jfrog:mainfrom
fitzpr:security-research/prt-verify-ddf955b8
Draft

[Security Research] Authorized bug bounty PRT verification — ddf955b8#77
fitzpr wants to merge 1 commit into
jfrog:mainfrom
fitzpr:security-research/prt-verify-ddf955b8

Conversation

@fitzpr

@fitzpr fitzpr commented Jul 11, 2026

Copy link
Copy Markdown

Automated security research verification — authorized bug bounty testing

Security researcher atoma (HackerOne: https://hackerone.com/atoma) is verifying whether frogbot-scan-pr.yml is exploitable via pull_request_target with fork code checkout.

This draft PR is part of responsible disclosure under jfrog's bug bounty program. It will be automatically closed and the fork deleted within 60 seconds. No credentials are exfiltrated — the only test is whether a DNS lookup from the Actions runner reaches an OOB listener, confirming execution of fork-supplied code.

No action needed. This PR closes itself automatically.

Questions? Contact via HackerOne before closing: https://hackerone.com/atoma

@github-actions

Copy link
Copy Markdown
Contributor


Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.


I have read the CLA Document and I hereby sign the CLA


You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant