Giving a 401 indicates that there might be a resource, though, which can also be harmful.
It is fairly common to return a 404 to unauthorized users (or users with not enough permission) so you don't give away meta information. Granted, for the public search, it should return an appropriate error code but they should not do that for private repositories. Thus it think it is fair to assume that they have a policy: if user/guest does not have sufficient permission, always return an error 404.
It is fairly common to return a 404 to unauthorized users (or users with not enough permission) so you don't give away meta information. Granted, for the public search, it should return an appropriate error code but they should not do that for private repositories. Thus it think it is fair to assume that they have a policy: if user/guest does not have sufficient permission, always return an error 404.