CISA Recognized for Swift Action and Transparency in Security Incident
By Mathew J. Schwartz
July 17, 2026
In recent months, the United States Cybersecurity and Infrastructure Security Agency (CISA) has attracted both scrutiny and praise for its handling of a significant cybersecurity incident that exposed critical information in a public GitHub repository. Lessons derived from this incident highlight the importance of rapid response, transparency, and improved communication in addressing cybersecurity vulnerabilities.
The incident in question began on November 13, 2025, when a repository named "Private-CISA" inadvertently disclosed approximately 844 megabytes of sensitive data, which included valid plaintext passwords, AWS tokens, and Entra ID SAML certificates, along with documentation and personal files. GitGuardian, a secrets-scanning service, was among the first to detect the data exposure and made efforts to notify CISA about the vulnerability starting on May 14. Remarkably, CISA’s response time from initial notification to mitigation was just 26 hours. Cybersecurity researcher Guillaume Valadon of GitGuardian expressed relief at CISA’s swift action, stating that it is uncommon for organizations to respond so quickly to such alerts.
Two months later, CISA shared its insights in an "after-action report," revealing both successes and areas for improvement. Valadon praised the agency for its transparency, calling the incident communication "exactly the incident communication we should expect from every organization." The after-action report highlighted that one of the most effective strategies was CISA’s immediate acknowledgment of the researchers’ alert regarding the data exposure. The agency also emphasized the importance of expressing gratitude to security researchers for their vigilance, a practice CISA followed through with after resolving the issue.
One of the primary advantages for CISA in this crisis was its implementation of strong zero trust controls and robust logging systems. These enabled the security operations center to quickly pinpoint the source of the credential exposure to a contractor, affirming that the leaked credentials had not been misused outside of CISA’s environments. Following identification, the agency took decisive steps by temporarily taking offline its development environment and resetting all access credentials, including those of the individual responsible for the leak.
CISA’s digital forensic investigation revealed that the contractor had uploaded copies of sensitive build and deployment scripts to their personal GitHub account to facilitate cloud infrastructure creation autonomously. Alarmingly, this repository also contained both administrative and build credentials, which were mistakenly made public.
However, the reporting process surrounding this incident did encounter challenges. GitGuardian reported that its automated secrets-finding tool had previously alerted the GitHub commit author on nine separate occasions about the potential exposure of information by May 13. Despite these warnings, it wasn’t until researchers directly reported the situation to the U.S. CERT Coordination Center’s portal on May 14 that effective communication was established. Frustratingly, the researchers only received an automated acknowledgment of their report from CERT/CC, prompting them to seek the assistance of investigative journalist Brian Krebs. This ultimately led to a direct conversation with CISA on the evening of May 15, after which the repository was promptly taken offline within eight hours.
Valadon criticized the complexity of the reporting process, suggesting that organizations must aim to simplify procedures for security alerts. Many well-established businesses and government agencies incorporate a security.txt file on their websites, offering straightforward contact points for security researchers to report vulnerabilities. This text file is user-friendly and machine-readable, thereby streamlining communication.
Recently, CISA collaborated with the National Security Agency, as well as cybersecurity agencies from the UK, the Netherlands, and Japan, to issue a joint advisory advocating for organizations to establish coordinated vulnerability disclosure programs with security researchers. These programs encourage the use of security.txt files, providing researchers with clear instructions for reporting vulnerabilities effectively.
Valadon emphasized the need for further improvements, urging organizations not only to create prominent reporting instructions but also to ensure that security reports do not end up misclassified within product bug queues. Recognizing these shortcomings, CISA has begun simplifying its incident reporting processes and has made a commitment to add a security.txt file to its domain.
CISA’s learning experience extended beyond communications and rapid response. The agency acknowledged a lack of a specific security playbook for addressing GitHub or other cloud data leaks, which hampered the response process. Consequently, CISA plans to tighten controls regarding public code repository usage and intends to scan its code repositories for any potential emergence of exposed secrets, recommending that all organizations undertake similar actions.
Furthermore, CISA is in the process of consolidating its development environments to create stronger security protocols. The agency is also refining its playbooks to facilitate quicker credential changes during future emergencies. The complexity inherent to CISA’s systems and its interconnections with federate partners caused its key rotation process to take longer than expected. Learning from this incident, CISA is advocating for all organizations to maintain mature and well-tested key-management capabilities.
In conclusion, CISA’s handling of the recent cybersecurity incident serves as a critical learning experience for all organizations dealing with sensitive information. Its rapidly executed response, willingness to embrace transparency, and commitment to refining protocols can guide others in establishing effective strategies to mitigate cybersecurity vulnerabilities in an increasingly interconnected world.

