Travis-CI published a security bulletin the other day, describing a special condition that would allow to access secrets belonging to a foreign repository in Github or Bitbucket. The condition requires a fork from a public repository. That’s how open source work, and very central functionality. Not a corner case.
Turns out, the cloud service did address the issue, still plenty of secrets have been affected:
While cloud technology is all great economically, this is another sample of why commercial software vendors need to consider third party vendors in their threat profiles.