Hi —
I found what appears to be a Firebase / Google service-account JSON in your public repo. I'm not posting details here for responsible-disclosure reasons.
Please contact me at raffa@lictorai.com (or DM via GitHub) and I'll send the exact file path + line, plus the JWT payload decode confirming what the key grants access to.
Time-sensitive: service-account keys grant full GCP/Firebase project access until manually revoked. If real, the fix is two steps — rotate the key in Google Cloud Console, then git-history-rewrite to remove from repo history.
(Falling back to a public contact-request because your repo doesn't have GitHub's Private Vulnerability Reporting enabled for external reporters.)
A note: this came from an automated security scan I manually verified before reaching out. If we're wrong (it's a sample key, a test fixture, or an already-revoked credential), please reply and we'll close out. No blame intended.
— Raffa
Lictor AI · https://lictorai.com · github.com/Raffa-jarrl/Lictor-AI
Hi —
I found what appears to be a Firebase / Google service-account JSON in your public repo. I'm not posting details here for responsible-disclosure reasons.
Please contact me at raffa@lictorai.com (or DM via GitHub) and I'll send the exact file path + line, plus the JWT payload decode confirming what the key grants access to.
Time-sensitive: service-account keys grant full GCP/Firebase project access until manually revoked. If real, the fix is two steps — rotate the key in Google Cloud Console, then git-history-rewrite to remove from repo history.
(Falling back to a public contact-request because your repo doesn't have GitHub's Private Vulnerability Reporting enabled for external reporters.)
A note: this came from an automated security scan I manually verified before reaching out. If we're wrong (it's a sample key, a test fixture, or an already-revoked credential), please reply and we'll close out. No blame intended.
— Raffa
Lictor AI · https://lictorai.com · github.com/Raffa-jarrl/Lictor-AI