Why? He didn't cause any harm, disclosed quickly, and only acted after being ignored by the framework community (multiple times, it would seem).
It's not even being "rewarded"--it's being "not punished".
Wouldn't you like to have people spot vulnerabilities on your site and report them promptly without also breaking things? Seems a little ungrateful, yeah?
If we are all going to migrate to the cloud and assume our services (no longer under our control) are handled competently, we must place a higher premium on vetting that competency.
So if you had a vulnerable product and this gentleman altered one of your customer's pages without permission you would be grateful? That is strange to me.
Provided that the he did so and made the change public, and the modification was not malicious?
Yes. I'd even send him a thank-you email, and add him to our list of contributors.
I'd then of course contact the customer (probably over phone, as quickly as possible), explain the vulnerability, explain what happened, and explain how we were fixing it. Then I'd write a post about it, and put it on the front of the site.
"Hey customer, someone hacked your page thanks to a vulnerability in my service, but don't worry... I've added him as a contributor to my project and sent him a thank you email."
Today we had a demonstration by a user (xxx) of a security vulnerability on our site.
${VULNERABILITY_EXPLANATION}
We believe that it is possible that your application or records are covered in the scope of the exploit, because of the fact that ${VULNERABILITY_APPLICATION}.
In order to fix this issue, we have ${VULNERABILITY_PATCH}.
We have thanked this user for their vigilance in spotting bugs and security weaknesses in our site, and they have been added to our contributors-security page here (link).
We have a stance that security is something that can only be improved by lots of inquisitive eyes, and so if you have seen any issues that concern you, please do not hesitate to inform us and/or demonstrate the vulnerability--provided, of course, you do so without breaking anything permanently. :)
Our service is better today than it was yesterday, and we hope that with the patience and openness of our users it will be still better tommorrow!
I've yet to see any of the people conflating the Rails repository with the Github team reply to any of the (many) people in this thread pointing out that creating a ticket in the Rails repository is in no way the same as warning the Github team, so I'm really curious - is there general confusion about where the lines are between Github and Rails, or are you just being obstinate?
