Challenge 35

Welcome to challenge Challenge 35. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Reporting on Vulnerabilities

A security researcher found a Google API key and together with the project leader @commjoen made a GitHub security advisory. The only thing @commjoen did wrong was publish the API key as part of the advisory. Can you spot the key?

Answer to solution :

This is a documentation challenge, which can be solved by going to the Github Advisory.

  1. Get to the key using the Github security advisory

    • Go to the advisory.

    • Find the Google API key.

    • Copy it into the answer box.

  2. Follow the Github security advisory information

    • Go to the advisory.

    • Find the version that is impacted (1.6.8RC1).

    • Open the tag at Github.

    • Find the Google API key in challenge 35.

    • Copy it into the answer box.

Why we need to be careful with vulnerability reports

When you report a vulnerability or publish a security advisory, always be careful with the information you spread with them. Exact values of found hardcoded secrets, especially those harder to rotate, should not be put into your security report and/or the publication.