Every Travis CI Enterprise Installation is secured with an SSL certificate to ensure that nobody can sniff HTTP connections. Normally, a self-signed certificate may work out well - but sometimes, can cause several problems. For example, your browser won’t trust a self-signed certificate by default.
We’re very happy to announce that a new Builder is now part of our team: please join us in welcoming Raphaela Wrede to Travis CI!
Historically, private repositories have used SSH deploy keys with write access. This meant that in the case of pull-requests from private forks of private repositories or pull-requests to recently open-sourced private repositories, the SSH keys could be accessed. This vulnerability was responsibly reported by Cash Williams and Dane Powell from Acquia to firstname.lastname@example.org. We have already updated our integration to create read-only ssh deploy keys and believe it is unlikely this vulnerability has been exploited.