[dogecoinbase]

> ... we were unable to determine whether this bug was ever exploited.

> ...

> Due to the variety of GitHub Apps, their possible scopes, and the repositories they may have been given access to, we are unable to advise on any potential impacts as each customer's situation will be unique.

Absence of evidence is not evidence of absence.

[hanble]

That's true, but feels like these are always judgment calls. We can always armchair quarterback their judgment calls, but none of us have the full info. At least GH is sharing this info, which is a good call for trust building IMO.

[averysmallbird]

That's not fully Github's choice to make. They made a judgement call based on seemingly incomplete evidence, and have different incentives that everyone else.

Repository owners may well have a different level of acceptable risk or legal obligations over the integrity of their source code. For example, if I was maintaining security software or a popular package, it would be entirely appropriate to stop everything and look for abuse. Waiting three months makes that harder.

I'm not sure that's trust building.

[hanble]

Fair point - I think that's very fair criticism

[remram]

This is only a judgment call because they have no idea. The fact that they have no idea whether your organization's data was leaked is exactly what people here are complaining about.