How a GitHub Quirk Helped Me Earn $40K+ in Bug Bounties

GitHub's username renaming process creates a security vulnerability. When a user changes their username, old repository links redirect until someone claims the old username. A scanner was developed to find and potentially hijack unclaimed usernames. By registering old usernames and recreating repos, an attacker could control links still referenced elsewhere. This method revealed several high-severity vulnerabilities, with bounties up to $10,000. The issue poses a significant risk for supply chain attacks and credential harvesting.