Six hours. That's how long a critical flaw in GitHub's core infrastructure sat exposed before the company's security team had a fix deployed - and the only reason it was caught was an AI-assisted security audit.
Wiz Research, the cloud security firm, used AI models to uncover the vulnerability in GitHub's internal git infrastructure - the system that handles version control, meaning the tracking of every code change ever committed on the platform. The flaw was a remote code execution (RCE) vulnerability, meaning an attacker could have run arbitrary code on GitHub's own servers without physical access. If exploited, it could have allowed access to millions of public and private code repositories. Wiz submitted the finding through GitHub's bug bounty program, which pays outside researchers to find security flaws before bad actors do. The Verge reported that GitHub's security team confirmed they immediately began validating the report upon submission.
How Serious Was It?
RCE flaws are the worst category of security vulnerability. They let an attacker run their own instructions on remote servers - no physical access, no credentials required. In GitHub's case, the blast radius would have been enormous. The platform hosts over 100 million developers and stores years of proprietary code, internal tooling, and open-source projects that power most of the internet's software.
An attacker with RCE access to GitHub's git layer wouldn't just steal source code. They could potentially inject malicious changes into repositories - a supply chain attack, where tampered code gets distributed to every project that depends on an infected library. The class of attack is exactly how several high-profile breaches in recent years compromised thousands of companies downstream from a single compromised package.
Sub-Six-Hour Patch
GitHub's security team validated and patched the vulnerability in under six hours. The industry average for patching critical vulnerabilities typically runs weeks or months. A sub-six-hour response on infrastructure at this scale is a genuine benchmark.
GitHub has not disclosed any evidence of exploitation before Wiz found it. The bug bounty program worked as intended.
What's worth examining is how the vulnerability was found. Wiz says AI models were central to their discovery process. Security researchers are increasingly using AI to analyze large codebases and identify subtle flaws that human review would miss. The same capability is available to malicious actors. This is the current arms race in software security: defenders using AI to find vulnerabilities faster, while attackers use the same tools to find ones defenders missed.
For developers who store code on GitHub - or whose software depends on open-source packages hosted there - the practical outcome is that your data appears to have been safe. But this incident is a reminder that critical infrastructure vulnerabilities get found when researchers specifically go looking, and AI is accelerating that search on both sides.