GitHub has reinstated the account of a Russian software developer who discovered a series of security flaws involving the code repository that he eventually shamed the site into fixing over the weekend. Egor Homakov discovered a cryptographically-related security bug on GitHub that allowed attackers to gain administrator access …
Differences of opinion
Their statement says they worked with him to fix it BEFORE he proved their was a flaw. Your story says he was ignored (or received no human response), and felt compelled to prove he shouldn't have been ignored. Which version is correct?
Common practice for severe security bugs to 'vanish' to a developer only section of the bug tracker, though not notifying the poster privately is stupid and far too common. Happened to me before.
Unlikely they just deleted the ticket, more likely to languish at the bottom of the bug queue for years if they didn't see it, so both versions of events are perfectly plausible.
Banning the account was over the top when he did something innocuous for a bug which could be used for many nefarious purposes, irrespective of EULA crap.
Not a Rails vulnerability
It is important to clarify that this was not a vulnerability in Rails itself but in the way it was being used. They forgot to use attr_protected or attr_accessible or didn't use them correctly. It is also worth noting that as of a recent Rails release, attempting to perform this kind of attack when the application has been secured properly will raise an exception (by default) instead of merely logging a warning.
- Vid Google opens Inbox – email for people too thick to handle email
- RUMPY PUMPY: Bone says humans BONED Neanderthals 50,000 years B.C.
- Pic Forget the $2499 5K iMac – today we reveal Apple's most expensive computer to date
- Geek's Guide to Britain Kingston's aviation empire: From industry firsts to Airfix heroes
- Is your home or office internet gateway one of '1.2 MILLION' wide open to hijacking?