I use iScan.today to scan all the GitHub organizations for programs I’m invited to. Once added, it quietly runs deep scans across repos — not just recent commits, but full history — hunting for secrets that others might miss.

The Discovery

On May 5, I got a notification from iScan.today. It had flagged a plaintext credential in an employee’s public GitHub repo, tied to a private bug bounty program I’m in.

The secret?

Credentials to the company’s internal package manager server — exposed for over 2 years.

Despite being that old, the credentials were still active and allowed:

• Logging into the package manager UI
• Deleting existing packages
• Uploading new ones — essentially full control over the package pipeline

This wasn’t a minor leak — it was a potential supply chain compromise waiting to happen.

The Timeline

• 🕕 May 5, 6:50 PM — I reported the issue.
• 🛠️ May 6 — It was triaged.
• ⚠️ Later that day — Severity was updated to High.
• 💰 Also on May 6 — I received a $700 bounty.
• ✅ The issue was fully resolved.

Why It Matters

Most recon tools are noisy or surface-level.

iScan.today went deep, found a 2-year-old exposed secret, and flagged it immediately.

I didn’t need to chase anything down.

Once I added the program’s GitHub orgs, iScan.today did the heavy lifting — and alerted me when it found something worth acting on.

If You’re Bug Hunting…

This is exactly why I built iScan.today — to give bug bounty hunters like us real, actionable findings that lead to reports, not noise.

If you want to catch exposures others miss, especially in private programs, start scanning with iScan.today.