Hey Github, Remember This Article?

github has commented on the issue, and only suspended his account until they had gotten to the bottom of the issue, the hack, and his intent. This seems totally reasonable (as in he says this wasn't malicious, but let's make sure just in case). His account has been reinstated.<p><a href="https://github.com/blog/1069-responsible-disclosure-policy" rel="nofollow">https://github.com/blog/1069-responsible-disclosure-policy</a><p>Knee-jerk reaction from people within this community seems baffling to me.

The author cites reporting the issue to the rails community but why didn't he report it to security@github.com? As some of the GH people have already said (on other articles), they would have taken him very seriously and not banned his account if he would have reported it the correct way instead of hacking into high profile accounts.

The author says Github ignored the issue when it was reported to them, but cites an issue opened on the Rails issue tracker. Unless I missed Github's acquisition of Rails, I don't see how that counts as reporting the issue to Github.

The reason this was ignored at first should be obvious: his writing is hard to read, because he isn't fluent in English. While it turned out that he did have something important to say, most broken English is noise so people filter it out instinctively.

The _pragmatic_ thing to do is indeed to suspend and investigate.

Read <a href="https://github.com/rails/rails/issues/5228" rel="nofollow">https://github.com/rails/rails/issues/5228</a><p>The vulnerability discoverer tried to explain the dangerousness of the bug multiple times... but he was ignored despite attempts to show benign ways to exploit it.<p>So he did the right thing by exploiting the vulnerability to perform a rogue commit to the master Github repo. No one was taking him seriously.<p>Now Github <i>finally</i> fixed it!

Finally someone speaks up! +1

This is not a white hat hacker does. A white hat would have contacted Github in private with a PoC done with a dummy account and a test repo. There is a reason responsible disclosure guidelines exist.