Home Depot exposed access to its internal systems for a year after an employee accidentally published a private GitHub access token in early 2024. Security researcher Ben Zimmermann discovered the token in November 2025 and tried to report it privately—emailing Home Depot and contacting their CISO on LinkedIn. He was ignored for weeks. The company has no bug bounty program or vulnerability disclosure policy. Zimmermann finally contacted TechCrunch on December 5, and only then did Home Depot revoke the token. The exposed credential granted access to hundreds of private source code repositories, cloud infrastructure, order fulfillment systems, and inventory management.
What the Token Exposed
The leaked GitHub token provided full access to hundreds of private Home Depot repositories on GitHub, including the ability to read and modify source code. It also granted access to cloud infrastructure, order fulfillment and inventory management systems, and code development pipelines. For a Fortune 500 retail company processing billions in transactions, this level of exposure is catastrophic. An attacker could inject backdoors into e-commerce code, steal customer data, exfiltrate intellectual property, or sabotage operations.
Home Depot admitted they cannot determine if unauthorized parties accessed these systems during the year-long exposure. That alone tells you everything about their monitoring capabilities. GitHub found 39 million secrets leaked in 2024—this is one example of a systemic industry problem, but Home Depot’s negligence stands out even in that crowd.
The Researcher Home Depot Ignored
Zimmermann found the exposed token in November 2025 and attempted to report it privately through multiple channels: email and LinkedIn contact with Home Depot’s CISO. He was ignored for several weeks. Home Depot has no vulnerability disclosure program or bug bounty, providing no official channel for security researchers to report findings. Zimmermann finally contacted TechCrunch on December 5, and only after the media outlet reached out did Home Depot take action. The token was revoked on December 12, when TechCrunch published the story.
This reveals corporate security culture failure. Researchers trying to help are ignored, forcing them to choose between staying silent (letting customers remain vulnerable) or going public (risking legal threats). Only 20% of Fortune 500 companies have vulnerability disclosure programs, despite VDPs being free to implement. Companies prioritize avoiding PR problems over actually fixing security issues. Researchers who follow “responsible disclosure” ethics are punished with silence, while only media pressure forces action.
The Fortune 500 Vulnerability Disclosure Gap
Only 20% of Fortune 500 companies run vulnerability disclosure programs (99 out of 500), up from just 9% in 2019. The remaining 80% have no official channel for security researchers to report findings. Meanwhile, GitHub found 39 million secrets leaked in 2024 alone, a 25% increase from the previous year. Top companies like Microsoft, Netflix, Apple, Google, and Intel run bug bounty programs paying up to $1 million per vulnerability, but most Fortune 500 companies refuse to invest even in free VDPs.
The gap between security leaders and laggards is massive. Microsoft recently expanded its bug bounty to an “In Scope By Default” model in December 2025—every Microsoft online service is now automatically eligible for bounty rewards. Netflix paid out over $1 million in bounties last year. Apple offers up to $1 million for vulnerabilities. Meanwhile, Home Depot can’t be bothered to set up a free disclosure program.
Companies that refuse to implement VDPs aren’t just making poor security decisions—they’re actively hostile to the security community. Researchers find vulnerabilities regardless of whether companies have programs, but without VDPs, they have no safe way to report. Result: issues go unfixed longer, customers remain vulnerable, and when stories break they’re amplified by media.
Home Depot’s Decade of Security Failures
This is not Home Depot’s first security incident. In 2014, they suffered one of the largest retail data breaches in history: 56 million payment cards stolen, 53 million email addresses exposed, costing $179 million in settlements. The breach happened because they didn’t patch a known Windows vulnerability—Microsoft had already released the fix. In 2024, a third-party SaaS vendor exposed 10,000 employee records. Now in 2025, a GitHub token exposed for a year. Despite a decade and hundreds of millions in breach costs, Home Depot still has no vulnerability disclosure program or bug bounty.
Home Depot is a repeat offender, not a victim of sophisticated attacks. The pattern is clear: third-party trust without verification, no detection, reactive not proactive. A decade and $179 million in settlements later, they still haven’t learned. This demonstrates that without regulation forcing VDPs and basic security practices, many Fortune 500 companies will continue prioritizing short-term cost savings over customer security.
What Developers Should Learn
GitHub tokens function like passwords but with granular permissions (scopes). A leaked token with repo scope grants attackers the same access as if they logged in as that user: clone private repositories, modify code, access secrets, pivot to cloud infrastructure. Best practices include secret scanning (automated detection), token rotation (30-90 days), expiration dates, minimal permissions, and secure storage in key vaults—not code.
GitHub blocks several secrets per minute with push protection, but 35% of enterprise private repositories still contain plaintext secrets. Worse, 70% of secrets leaked in 2022 remain active in 2025. The cleanup never happens. For developers and security teams, the lesson is to use automated tools, rotate credentials, set expiration dates, and never hardcode secrets. For companies, the lesson is to implement VDPs and actually respond to security reports. Home Depot ignored Zimmermann for weeks. Only TechCrunch got their attention. That’s not security culture—that’s negligence.
