For autofix.ci to work, you need to provide autofix.ci's GitHub App with read/write permissions for your repository. Many maintainers are rightfully hesistant to provide such permissions to third parties. We are taking this responsibility very seriously, and have designed autofix.ci with security in mind from the start:
- autofix.ci has a well-defined threat model in which GitHub Actions runners are treated as completely untrusted and potentially compromised. The autofix.ci API only enables the workflow to update the current pull request once.
- autofix.ci minimizes untrusted input and data processing where possible. For example, instead of using git checkout/apply/push, we have decided to use GitHub's GraphQL API. This makes it much harder to port autofix.ci to other platforms, but means we only need to process a simple JSON data structure instead of applying git commands on untrusted repositories (see e.g. CVE-2021-21300).
- autofix.ci's hosted service is written in a memory-safe language that emphasizes correctness (Rust).
- autofix.ci's main author has extensive practical (building security software, organizing and playing CTF security competitions) and theoretical security experience (CS PhD from a security group).
Reporting a Vulnerability
We ask that you do not report security issues to our normal GitHub issue tracker. If you believe you've identified a security issue with autofix.ci, please report it to securitynoreply@email@example.com.
Once you've submitted an issue via email, you should receive an acknowledgment within 48 hours, and depending on the action to be taken, you may receive further follow-up emails.
For the responsible disclosure of critical vulnerabilities that could compromise the integrity or confidentiality of our users' GitHub repositories, autofix.ci pays a bug bounty of up to one month of autofix.ci's total revenue.
We will not bind you to any additional terms or have you sign an NDA when you report a vulnerability. However, bounty payments, if any, will be determined by autofix.ci, in autofix.ci's sole discretion. In no event shall autofix.ci be obligated to pay you a bounty for any submission. If you are unhappy with how autofix.ci is handling the disclosure process, you may walk away at any moment and publish your findings (but not any sensitive data you may have had access to) in the public.