GitHub had quite an interesting experience over the weekend, and it’s worth examining for a number of reasons. First and foremost a security issue was exposed that affected an extremely large number of systems and users.
I’m not a Rails developer but from what I understand, the security issue is one that was brought up and then closed in the past, but many people feel it should require a change to Rails itself. If you’re a Rails developer I would highly suggest researching the issue at hand to determine if your systems are exposed as well.
The second thing to note is the way the issue both occurred and was handled. From what I can see the security notice was brought up in private but suppressed in a way. To overgeneralize, the submitter then piggybacked the exploit in a very visible way on GitHub so as to get the attention he felt it deserved.
It’s interesting to see the reactions from people not only to the submitter’s methods, but GitHub’s response as well, which comes in the form of two posts to the GitHub Blog:
It’s interesting to see the divide in support/offense to both the exploitation of the issue as well as GitHub’s response.