

Hey Github, Remember This Article? - blackhole
http://blackhole12.blogspot.com/2012/03/hey-github-remember-this-article.html

======
dlokshin
github has commented on the issue, and only suspended his account until they
had gotten to the bottom of the issue, the hack, and his intent. This seems
totally reasonable (as in he says this wasn't malicious, but let's make sure
just in case). His account has been reinstated.

<https://github.com/blog/1069-responsible-disclosure-policy>

Knee-jerk reaction from people within this community seems baffling to me.

~~~
tylermenezes
They did that in this case, because it apparently wasn't clear enough. Their
real response was to create this: <http://help.github.com/responsible-
disclosure/>

Which more explicitly forbids this.

------
tomschlick
The author cites reporting the issue to the rails community but why didn't he
report it to security@github.com? As some of the GH people have already said
(on other articles), they would have taken him very seriously and not banned
his account if he would have reported it the correct way instead of hacking
into high profile accounts.

~~~
blatherard
Reporting it to github wouldn't have demonstrated the problem he was trying to
flag. His problem wasn't "gitub is insecure" but instead "rails by default is
insecure." When told by the rails team that fixing this problem was the
responsibility of rails users, he demonstrated that even the most
sophisticated users (presumably, github devs) were exposed.

If he had submitted a bug report to github, they would have probably just
fixed it. And the problem he was flagging in rails wouldn't have been any
closer to fixed.

------
tzs
The author says Github ignored the issue when it was reported to them, but
cites an issue opened on the Rails issue tracker. Unless I missed Github's
acquisition of Rails, I don't see how that counts as reporting the issue to
Github.

------
jimrandomh
The reason this was ignored at first should be obvious: his writing is hard to
read, because he isn't fluent in English. While it turned out that he did have
something important to say, most broken English is noise so people filter it
out instinctively.

------
kuahyeow
The _pragmatic_ thing to do is indeed to suspend and investigate.

------
mrb
Read <https://github.com/rails/rails/issues/5228>

The vulnerability discoverer tried to explain the dangerousness of the bug
multiple times... but he was ignored despite attempts to show benign ways to
exploit it.

So he did the right thing by exploiting the vulnerability to perform a rogue
commit to the master Github repo. No one was taking him seriously.

Now Github _finally_ fixed it!

------
Mamady
Finally someone speaks up! +1

------
sriramk
This is not a white hat hacker does. A white hat would have contacted Github
in private with a PoC done with a dummy account and a test repo. There is a
reason responsible disclosure guidelines exist.

~~~
blackhole
Oh wait, but it doesn't matter! :D Because, you know, the whole point of the
article being that whether or not what he did was "right" is irrelevant
because banning him and then presenting a twisted truth to customers is not a
productive solution to the problem.

~~~
sriramk
I actually defend Github on that front too. Let's take the long view here -
Github has a growing code base and this won't be the last 0-day exploit they
face. Do they really want to signal any future person that they're ok with
being broken into as long as it is 'benign'? If I were Github, I would want to
be telling people "Hey, work with us and you'll get your cred as a security
researcher. "

I reject the dichotomy that this pushes people to sell their exploits on some
illegal market. I think if people wanted to do that, they would irrespective
of what Github did.

It took many years for the security industry to arrive at responsible
disclosure guidelines; there is a reason they exist.

