Description of Incident
Various GitHub OAuth tokens and secure environment variables that users included in their builds were accidentally exposed via inclusion in build logs on Travis CI. The vulnerability was responsibly disclosed by security researcher Ivan Vyshnevskyi, first to the Google Security team, who in turn disclosed it to Travis CI in a private channel. To our knowledge, no exposed OAuth tokens have been published. Neither Travis CI nor GitHub have been compromised.