Get in Touch
For 7 days Travis CI pull requests were including secure environment vars in public repositories.
Signing keys, access credentials and API tokens may have been leaked, which could be used to gain a foothold onto thousands of customer networks.
Public repositories using TravisCI.
Containment, Mitigations & Remediations
Travis CI recommend you rotate your secrets. They have not reached out to affected parties or made any serious attempt to inform the public about the issue.
Based on the vendor response, the security researchers who found the vulnerability recommend switching away from Travis CI altogether.
In 2019 the company was acquired and a large portion of their development team was fired.