[bearjaws]

I am really curious how SecOps works at GitHub.

Why not after remediation inform users of the flaw and potential impact. Then follow up with detailed impact.

Instead we get this 3 months later all they can say is "Some of your apps refreshed their tokens during a 5 day period" which is not news...

This is also the second time this year there has been significant delay in communication. Granted those involved other third parties so who knows where the delay lived.

[s09dfhks]

I would assume the lawyers have to get involved first to write up some document proving that github is not liable for what users do with their app tokens. CYA, then tell the public

[mistrial9]

they might assume that the account holder are a likely perpetrator, which might be true but also enables their intermediation of the context and control of the sequence of communication.