You're conflating two issues here. He's arguing that the Rails team was ignoring an important issue by noting it was an easy end-user fix, and GitHub overreacted by suspending him after he tried several times to bring it to their attention, and then grossly mislead their user base as to the extent of the issue (which sounds like a really fundamental security issue that any professional Rails developer should know how to avoid) and how they discovered it (i.e. they didn't discover it, they had to be shown it). You're responding as if GitHub was simply being attacked for not fixing the issue.
Did he notify github directly, or did he notify the rails team in a github-issue in the rails project?
If he didn't actually contact github directly and just assumed they would see the rails issue on a weekend, then I wouldn't exactly call it 'notice'.
If he did submit it to github via the proper channels before taking action, and nothing was done within a reasonable timeframe (eg. not just an hour or two on a sunday), then what he did would make a bit more sense.
It's sort of a sticky situation. My take on it wasn't that this was so much to screw with GitHub as it was to show the Rails team the true severity of an issue they downplayed. It gets a bit circuitous because Rails is hosted on GitHub and GitHub is a Rails app. Had he reported it to GitHub and they patched it, which is arguably the proper thing to have done, nothing would have happened on the Rails side of the equation. All told, I think he did the right thing.
The reason for exploiting github was to get the rails issue noticed, not to notify github of a vuln. If he quietly notifies github then there are still thousands of github sites out there that remain vulnerable. By exploiting GitHub and getting this huge response he allows the news of the vulnerability to get tons more coverage than it would have otherwise.
Fair enough. Ignoring the issue and not fixing it after it was brought to their attention to me is where they screwed up.
As for the account suspension, I'm not sure I agree that the account should not have been suspended. Github is a code repository first, and I don't think they have an obligation to keep people around who are exposing security flaws by notifying the entire community. As the author of the post points out, hundreds of thousands of apps rely on Github, so to an extent it is their responsibility to block people who may jeopardize their users. Let's say that they left his account active, and then two months from now he exposed a larger security flaw by greatly damaging a users' app or business. I'll bet there would be more posts like this one blasting Github for not suspending his account. Personally, I think they should offer him a job.
As the author of the post points out, hundreds of thousands of apps rely on Github, so to an extent it is their responsibility to block people who may jeopardize their users.
But they haven't blocked him. They blocked his account, so all he has to do is create another.
Github has put their users in far more danger by being dicks to a guy to gain nothing.
In what way do they have to prevent him from ever accessing the site from any account ever again? The best they can do is suspend his account per policy while they are investigating.
There are two issues with any exploit: (1) prevent future exploits and (2) making sure that whoever discovered the exploit hasn't retained any unauthorized access.
Fixing the bug addresses (1) and suspending his account gives them time to address (2).
But the thing here is that if he genuinely wanted to retain unauthorized access, he had at the very least several days to create a ton of alternative accounts to make use of this exploit with.
Suspending his account wouldn't have affected him if he was being black hat about this. A suspension in this case serves pretty much no purpose other than to make Github feel better about themselves.
Aye, that's where it gets hairy – I (or anyone else) could write equally impassioned blog posts for making him their chief security officer, or for suing him. The article starts going down the road of playing Monday morning quarterback with that issue, but it's short enough that it's acceptable. Not looking forward to the avalanche of posts on either side of the debate, though.
