404. Did they pull the repo or make it private?

https://github.com/salesforce/endgame

Here is one of many forks: https://github.com/agnivesh/endgame/

I'm impressed you were able to get your employer (Salesforce) to actually let you publish this under their organization. Kudos to that.

Salesforce also runs Heroku, which is one of the biggest AWS wrappers around. I'm really glad they're active in security auditing here, it's a real value add to customers of Heroku / Salesforce services to see evidence of their work to analyze security.

Yes, surprised also, given past stories around Defcon.

I think it's great to have audit tools like this. It makes people realize how vulnerable their accounts are.

Does a similar tool exist for Salesforce and Heroku?

Not sure what the shock is with seeing security tools like this released, the vast majority of security tools are open source, how is this different to what we have been seeing the past 30 year?

Not to mention companies such as Google, Netflix and Mozilla all release security tools just like this.

I guess they didn't.

That’s what I was expecting to happen, unfortunately.

Well, you know the saying about eggs and omelettes. I wish you luck with getting AWS to listen to you!

Thanks :)

Can you share the code somewhere else? It's been taken down from github

Bugs get patched. Features are protected, and sometimes simultaneously abused. Thank you!

So did you just put this out there or did you give AWS Security peeps a week or two notice?

This isn't exploiting a vulnerability. This requires authentication and uses AWS features. Why would they need to alert AWS?

you're an evil genius