Security researchers have identified a critical flaw in how bug bounty programs handle credential exposure, often dismissing high-risk API keys as 'out of scope' despite their potential for massive data breaches.
According to a report by Cremit, two separate instances involved admin-level keys sitting in plain text on public GitHub repositories. In one case, a Slack Bot Token remained exposed for three years, granting access to sensitive company channels, files, and user directories.
Despite the token providing a map of an organization's entire technology stack, the organization's bug bounty program classified the finding as 'out of scope.'
In a second instance, an Asana Admin API key with full read/write permissions was discovered after two years of exposure. The key belonged to a subsidiary that had been consolidated into a parent organization. The parent company also dismissed the report as 'out of scope' because the asset originated from a separate entity.
The structural failure of scope
Cremit reports that both organizations took action to rotate the keys after the disclosure, even though they officially denied the validity of the report. This contradiction suggests that companies are actively managing the risks while simultaneously refusing to acknowledge them through formal security channels.
'The risk was acknowledged, the value of the disclosure was leveraged, and yet the official classification remained "out of scope."' the report states.
This pattern of dismissing credentials as 'out of scope' ignores the reality of modern breaches. The outlet cites Toyota, which exposed an access key for five years leading to the leak of over 296,000 customer records, and Uber’s 2016 breach, which stemmed from hardcoded AWS credentials in GitHub.
Data from GitGuardian shows the scale of the issue is accelerating. The report notes that 23.8 million secrets were detected on public GitHub in 2024, marking a 25% increase year over year.
Researchers argue that the current bug bounty model is fundamentally broken. While programs are designed to find code-level vulnerabilities like SQL injection, they are failing to address the growing threat of Non-Human Identity (NHI) exposure.
