We have introduced several security fixes to our open source Broker. We’d like to thank Wing Chan of The Hut Group that responsibly disclosed the issues to us via our bug bounty program.
These issues pertained to increased privileges available to specific internal Snyk Personnel only. All issues were patched for all supported SCMs in version 4.80.0 of the Broker. We also have taken steps to improve the auditability of the Broker code, and have also improved both client and server-side logging in order to improve customer and Snyk visibility of activity on the service.