[vesinisa]

Either way, it's pointless to "reprimand" the perpetrator. This could have just as well been a deliberate spam attack eg. someone using the @-mention to promote their scam-coin or penis enlargement product (and some people in the thread seem to have already used the opportunity to promote their band etc.) Telling a spammer they are doing an evil thing is obviously useless as they are well aware of it. This should be viewed and handled as a security / access control failing on Epic's part - that this was ever possible was a mistake and only a question of timing when someone would stumble upon the vulnerability. Whether their purposes for exploiting it are nefarious, sincere or even accidental is irrelevant.

[edwcross]

On the one hand, I agree that paying attention to the spammer is bad; on the other, I do believe there might be some use in publicly stating that such PRs will never be merged and are frowned upon; hopefully other people reading (many of them likely beginner programmers) will get the message. But there's likely a better way to do the "teaching" without drawing any attention to the perpetrator.