Xai Secret Leak: The story of an disclosure

The rise of AI increases the secret spread for many reasons. In Gitguardian State of Secreprawl report from 2025We described how the use of Copilot seemed to Increase the number of secret leaks. This data-based analysis confirmed academic work on the safety of the LLM-generated source code, especially from secrets.

Another side of the story is that the broad introduction of AI multiplies the number of AI API providers, consumers and non-human identities that connect the two. Since AI tools are used by both technical and non-tech people, they also diversify the sources of the leak. We are now watching AI -API token, which are leaked by companies of all sizes and sectors from small to big, from marketing to software development.

No company seems to be immune to this newly increasing risk, and in the past few months Xai, the company behind the assistant of Grok AI, has been victim.

Original leak and alarm

The secret recognition platform of Gitguardians continuously scans the public github repository on new secrets. When we find one, an automated system sends an alarming email to the commit author to alert it via the leak. We call that Good Samaritan programwhich has been made available to all developers free of charge since 2017.

On March 2, 2025, this automated system discovered a new secret in a public repository. The committee contained a Xai -API key in a .ENV file. This is a classic secret leak scenario, and Gitguardian has sent an e -mail to the commit author to draw his attention to the incident. The only thing that lifts this special commit from the fair was the e -mail address of the command: it was hosted under the X.AI domain. No further examinations were carried out at this time. This warning was drowned among the hundreds of other e -mails, which we also sent to other developers.

Independent rediscovery

Two months later Philippe Cateregli, an independent security researcher of Seragesrevealed in A LinkedIn Post that he had received access to an Xai -API key from a public repository. He was also with Gitguardian with the day that brought us back the leak.

It turned out that the API key was still valid two months after the original discovery and alarm after investigation. In addition, the key was more than the key of a simple user. In fact, the corresponding account not only had access to public GROK models (grok-2-1212etc.), but also to an apparently unpublished (grok-2.5V), Development (research-grok-2p5v-1018) and private models (tweet-rejectorPresent grok-spacex-2024-11-04).

At this point, we decided not to carry out the investigation, but to officially and immediately inform X about the leak in a coordinated responsible disclosure. In fact, we can only speculate about the data the private models have been trained, but the chances are good that the LLM models had knowledge of X, Tesla or SpaceX's intellectual property. The careful queries of these models could lead to this information being disclosed, which could be of crucial importance for the business of these companies.

We have created a responsible disclosure email with all the information required to quickly identify the leak source, the keys and accounts concerned, and to start the renovation process. We then had a first difficulty. The main website of Xai does not reveal security.txt file. How we presented ourselves A blog post at the beginning of this yearPresent RFC 9116 Defines thanks to a security. This is an industry standard that Xai does not follow.

X.com contains such a file for security.txt. However, this leads to a hackerone program and the file has expired since January 2024, one year after the takeover of Elon Musk by Twitter.

Googling for a disclosure page for vulnerabilities for Xai provided two results:

• A hackerone program for X
• A security page at

Unfortunately, the security page was not very helpful for the disclosure of security gaps and mainly contained information on the data security of users.

The Hackerone program page seemed to have Xai in Scope, but since we were not looking for rewards and had bad experiences with leak openings about bug bounties, we tried to find a better option.

After some ditch we finally identified that [email protected] E -Mail address as a good candidate for disclosure. If we have found this security contact, it took us a few unnecessary hours. We broadcast the disclosure mail on April 30th at 11:00 a.m.

We received an answer from Xai 12 hours later:

Thank you very much for your email

So that we can analyze if necessary and also receive a proper credit for you, would you please send this to the BUG Bounty program from Xai to Hackerone?

Thanks!
Xai team

Xai's team redirected us to her bug Bounty program. This delays the renovation process. The transmission of the report to hackerone and the tripping and forwarded to the company could take additional hours or days when the renovation would not begin. For a company of the size X, the replacement of an incident reaction team (PSIRT or CSIRT) by a bug bounty should not be an option and be seen as a bad practice. Here, too, we were not looking for a reward.

Fortunately, the leaky repository was removed from Github just a few hours later and the key was revoked. This happened without an update that was sent to us completely outside the limits of the disclosure process. This means that we can waste more time with filling a bug bounty report and waiting for updates just to notify the problem was invalid because it has already been remedied.

This incident then received greater attention when cyber security journalist Brian Krebs reported history in a detailed report.

Complete secret leaks. They pass every company without distinction, and we cannot blame Xai or its developers, even if we could expect large companies that process a gigantic amount of customer data are more careful. We even expect that the growing introduction of AI will increase the incidence of AI-related secrecy in every sector.

In this sense, every company should be ready to receive security warnings for such incidents. The XAI case shows some frequent misunderstandings and bad practices when it comes to responsible disclosure:

• No easily identifiable security contact.
• A bug bounty program with which a suitable CSIRT team replaces or places.
• No transparent communication for researchers without updates about renovation.

Fortunately, there are a few simple things that you want to prepare better to get security warnings from third parties that you can do:

• Let a team identify to have integrated the disclosure.
• Give public information on security contacts.
• Fine your bug bounty scopes and guidelines.
• Be ready to get negative feedback.
• Follow a transparency approach in communication.

All of these points are dealt with in detail in our dedicated blog posts.

From the alarm to the action: Best Practices to cope with a responsible disclosure

A responsible disclosure is an often overlooked but critical component of cyber -proof heightal arm processes. Explore important best practices that improve communication and collaboration with researchers and convert potential security threats into options for greater defense.

Safety, firstly, always transparency: within the responsible disclosure process of Gitguardian

In the past 6 months, our security research team announced 24 critical weaknesses. Most were successfully remedied. The contributions of our teams on cybersecurity were officially recognized, with our researchers being listed in the security researcher Hall of Fame from Bayer and Oracle.

*** This is a safety blogger -Syndicated -Blog from Gitguardian Blog -take control of your Secrets Security, which Gaëtan Ferry wrote. Read the original post at: