The Verge reported on April 29 that GitHub patched a critical remote code execution vulnerability in less than six hours after Wiz Research disclosed it. The vuln, in GitHub's internal git infrastructure, could have given attackers access to "millions of public and private code repositories," per Wiz. The discovery method is the part that matters: Wiz used AI models to find the bug. Per Wiz researcher Sagi Tzadik, this is "one of the first critical vulnerabilities discovered in closed-source binaries using AI, highlighting a shift in how these flaws are identified." GitHub's response per CISO Alexis Walesa: 40 minutes to reproduce internally, just over two hours from validation to deployed fix on github.com, forensic investigation showing no exploitation. Total ~6 hours from disclosure to deployed fix on both GitHub.com and GitHub Enterprise Server.
Two technical signals stand out. First, the closed-source framing matters. Most public AI-vulnerability research has been against open-source code where the model reads the source directly. Finding a critical RCE in a closed-source git binary using AI implies the model was reasoning about behavior from binaries, traffic, observed inputs, or fuzzing results — harder, more security-research-relevant, and a credible threat-model shift. Second, Wiz described the bug as "remarkably easy to exploit" despite GitHub's underlying system complexity. That combination — easy to exploit but hidden inside a complex system — is exactly the failure pattern AI-driven fuzzing and pattern-matching is good at surfacing. Expect more disclosures with this profile through 2026.
This lands in the middle of an ongoing reliability narrative for GitHub. Tom Warren's reporting in The Verge notes that the patch came "just days after GitHub had a major outage that randomly reverted previously merged commits for some users," plus "other outages last week" — extending the multi-service outage we covered yesterday (Issues 20h, Pages 20h, Actions 14h). Warren cites an unnamed GitHub employee: "the company is collapsing, both in outages that are reallllly bad and have torched the company reputation… and in an exodus of leadership." The security side gets a positive data point — a 6-hour fix with no exploitation found is excellent — but it lands in a context where GitHub's operational health is being publicly questioned. The Copilot pricing reset on April 28, the multi-day outage cluster, and now the AI-disclosed RCE form a continuous April pattern.
For builders, three concrete things. First, AI-driven vulnerability discovery in closed-source binaries is now a credible, demonstrated capability. If you ship binaries and assume that lack of source access protects you from automated bug discovery, update your threat model. Second, your bug-bounty effectiveness is measured by fix-deploy speed, not by bounty size alone. GitHub paid "one of the highest rewards available in our Bug Bounty program" for this disclosure, and the disclosure-to-fix path worked because GitHub had the operational infrastructure to validate and patch in under six hours. Both halves matter. Third, the GitHub trend matters for hosting decisions even if you do not switch hosts today. Reliability narrative + leadership exodus + AI-disclosed criticals is the kind of pattern that ends with maintainers slowly migrating mirrors. Watch for high-profile project mirror announcements through 2026; the pattern often starts with a few prominent maintainers and cascades.