Earlier this year, in mid-January, you might have come across this security announcement by GitHub. In this article, I will unveil the shocking story of how I discovered CVE-2024-0200, a deceptively simple, one-liner vulnerability which I initially assessed to likely be of low impact, and how I turned it into one of the most impactful bugs in GitHub’s bug bounty history. Spoiler: The vulnerability enabled disclosure of all environment variables of a production container on GitHub.