Suspending him only shows that if a vulnerability exists (and they always do) in the future people won't go about it so openly because what they'll get for their troubles will be an account suspension. The guy could have done real harm if he kept silent and used it maliciously, chose not to, and got suspended. Github should pay him for finding the vulnerability instead!
Well, this is not exactly what I expected to find in the ToS:<p><i>GitHub, in its sole discretion, has the right to suspend
or terminate your account and refuse any and all current or
future use of the Service, or any other GitHub service, for
any reason at any time. Such termination of the Service will
result in the deactivation or deletion of your Account or
your access to your Account, and the forfeiture and
relinquishment of all Content in your Account. GitHub
reserves the right to refuse service to anyone for any
reason at any time</i><p>That means my company's code can be wiped out by GH at any time, for any reason. Please don't hurt me :(
Remember when Zed Shaw took down GitHub for purely personal reasons, disturbing service for millions? I don't remember him getting suspended, his account is live and well at <a href="http://github.com/zedshaw" rel="nofollow">http://github.com/zedshaw</a><p><a href="http://sheddingbikes.com/posts/1306816425.html" rel="nofollow">http://sheddingbikes.com/posts/1306816425.html</a>
So if I got this right, this is the order of how things happened.<p>1. Egor finds a vulnerability and reports it. <a href="https://github.com/rails/rails/issues/5228" rel="nofollow">https://github.com/rails/rails/issues/5228</a><p>2. It gets ignored and he is being called a troll.<p>3. He proves that he was right by doing a harmless commit to to the rails master repo.<p>4. The vulnerability gets fixed quickly as it got the focus of the community.<p>5. His account gets suspended<p>Not sure I agree with the suspension.
He has a get out of jail free card.<p><a href="http://homakov.blogspot.com/2011/07/octocat-tattoo.html" rel="nofollow">http://homakov.blogspot.com/2011/07/octocat-tattoo.html</a>
His account has been reinstated, Github has patched their service, and the Rails team has committed a patch with new defaults. All in less than eight hours. Let's move on.
I'm sorry but I have to defend Egor here. Here's how you actually report a vulnerability, demonstrated by dfranke here on HN -> <a href="http://news.ycombinator.com/item?id=639976" rel="nofollow">http://news.ycombinator.com/item?id=639976</a><p>What Egor did was to violate sensible disclosure rules. He should have contacted GitHub in private, created a test repo and demonstrated his exploit there, rather than impersonate users and compromise multiple accounts.<p>If I was in Github's shoes and I was trying to figure out what damage was done, the first step would be to suspend the account doing the damage to make sure no further surprises were headed my way.
What I would like to know is if this is permanent or just till github completes their security audit. It doesn't seem like homakov intended or caused any real harm, although it was a bit immature to draw attention to the vulnerability that way.
His account has been unsuspended.<p><a href="https://github.com/rails/rails/commit/b83965785db1eec019edf1fc272b1aa393e6dc57#commitcomment-1041295" rel="nofollow">https://github.com/rails/rails/commit/b83965785db1eec019edf1...</a>
He clearly violated their Terms Of Service. If you like and enjoy a service, exploiting it to prove a point is not the way to do it. It takes no time to spot the clause about exploiting the service.<p>Legally, it wouldn't be good to have a TOS and then not enforce it. You never how that could bite you later on if you get dragged into a dispute.<p>All this "they should give it back when they're done" is pointless. You can't reward stupid behavior.