Do not disclose security vulnerabilities or any other security-related issues here, please email us instead:

az-digital-security@list.arizona.edu

Please include as much of the information listed below as you can to help us understand and resolve the issue:

• The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting.)
• Full paths of source file(s) related to the issue.
• The location of the affected source code (tag/branch/commit or direct URL.)
• Any special configuration required to reproduce the issue.
• Step-by-step instructions to reproduce the issue.
• Proof of concept or exploit code (if possible).
• Impact of the issue, including how an attacker might exploit the issue.

• API keys,
• Database usernames/passwords,
• And private keys in their GitHub repositories.

Strong passwords aren’t secure enough anymore. Attackers have developed several tested methods of stealing credentials, giving them unauthorized access to private accounts.

For this reason, requiring Multi-Factor Authentication (MFA) for all your GitHub organizations is critical.

MFA should be enforced for every GitHub user in your organizations.

To require MFA, select Your Profile Photo → Your Organizations → Settings → Security → Authentication Security. For more details, see the GitHub documentation.