A GitHub access token belonged to a Home Depot employee for roughly a year, exposing hundreds of private source code repositories, order fulfillment systems, and inventory management infrastructure. Security researcher Ben Zimmermann discovered it in early November, tried the responsible disclosure route—emails, LinkedIn messages to the CISO—and got silence. Home Depot only acted after TechCrunch's intervention. This isn't a vulnerability; it's a process failure that exposes how Fortune 500 companies have become unreachable to the security researchers trying to help them.

Here's what the numbers reveal: a single GitHub token, one employee mistake, twelve months of exposure, and zero internal process to catch it. Ben Zimmermann found the token in early November 2025, tested it, and immediately understood what he was holding. Access to hundreds of private Home Depot source code repositories. Modification rights. Routes into the cloud infrastructure running the company's order fulfillment and inventory systems. Code development pipelines. This wasn't a theoretical vulnerability—it was a skeleton key to Home Depot's operational nervous system.

Zimmermann has done this before. He's a security researcher who regularly finds these exposures and follows the protocol: quiet notification to the affected company, time for remediation, public disclosure only if ignored. He sent emails to Home Depot. Nothing. He reached out to CISO Chris Lanzilotta on LinkedIn. Silence. For weeks. And then weeks turned into months.

Here's the inflection point: Home Depot doesn't have a vulnerability disclosure program. No bug bounty. No formal security reporting channel. No clear way for an external researcher to responsibly warn the company about an active, critical exposure. So Zimmermann did what researchers do when companies become unreachable—he contacted TechCrunch, hoping a published story would light a fire.

It worked. Within days of TechCrunch's outreach on December 5, the token was revoked. But the timing tells you everything about how enterprise security has broken down. A company the size of Home Depot—which has hosted "much of its developer and engineering infrastructure on GitHub since 2015," according to GitHub's own customer profile—operates with security processes so opaque that a researcher with legitimate, time-sensitive findings has no way to reach the right person. And the company's leadership apparently never created a mechanism to be reached.

Zimmermann told TechCrunch something that cuts deeper than the technical exposure: "Home Depot is the only company that ignored me." He's disclosed similar findings to multiple companies recently, and others responded with thanks. One company stands out as unreachable. That's not a random failure. That's a pattern of organizational dysfunction.

Look at what's actually being exposed here beyond the GitHub token. Home Depot's lack of a formal disclosure program suggests no prioritized security infrastructure, no clear chain of command for urgent threats, no integration between external security researchers and internal incident response teams. When a researcher can't reach a CISO directly, and emails disappear into a void, you're looking at a company that hasn't built basic security operations architecture. This is the same retailer that has been a regular target of payment system breaches—the 2014 attack that exposed 56 million payment cards—yet apparently still hasn't established the fundamental channel for outside researchers to alert them to threats.

The Federal Trade Commission, which scrutinized Home Depot after that 2014 breach, would presumably care that the company still lacks a formal vulnerability disclosure mechanism in 2025. That's not a nice-to-have security feature; that's a foundational governance failure that creates liability. If someone else had found that token—someone with less ethical intent than Zimmermann—there would be no way Home Depot would have known. A ransomware operator could have extracted the entire codebase, modified deployment pipelines, or pivoted deeper into the infrastructure. And Home Depot's first indication of compromise would have come from law enforcement or customer data loss, not from early warning.

What this really exposes is the accountability vacuum in vendor security. Researchers like Zimmermann are operating as unpaid auditors for Fortune 500 companies, following protocols that assume the companies they're trying to help will actually listen. Home Depot proved that assumption was wrong. Now there's a precedent: if a company ignores a researcher long enough, a journalist will pick up the story and the company will scramble to respond. That's not security governance—that's reactive damage control disguised as incident response.

The broader pattern matters here. This isn't a one-off. As more source code and critical infrastructure moves to cloud repositories like GitHub, the attack surface expands. The number of exposed tokens, misconfigured credentials, and leaked secrets is accelerating. Researchers are drowning in findings. And now we're learning that even when they try to do everything right—responsible disclosure, direct communication, patience with internal processes—major enterprises may simply not respond. That changes the calculus for whether researchers should disclose publicly, bypass internal channels, or decide it's not worth the effort.

Home Depot had nearly a year to respond to a critical exposure in its most sensitive infrastructure. It took a TechCrunch phone call to trigger action. And even then, the company's response was silence and remediation, not explanation or transparency about how the exposure happened or whether logs exist to show who else might have used that token during its 11 months online.

Home Depot's silence isn't a security incident—it's an accountability failure that will reshape how researchers approach vendor disclosure. When Fortune 500 companies lack bug bounty programs and ignore direct CISO outreach, they signal that responsible disclosure is optional for them. For enterprise decision-makers, this exposes vendor accountability as unmeasurable: even major retailers don't have established processes to respond to critical findings. Investors should note that disclosure governance gaps create material liability risk. Researchers and security professionals face a reckoning: if direct outreach and patience don't work, public disclosure becomes the only lever. Watch for whether the FTC revisits Home Depot's security governance post-2014, and whether other researchers begin naming companies that ignore them.