[boundlessdreamz]

The vulnerability is still Github's. Rails provide the tools to do this right. Whether rails should provide stricter defaults is another question altogether.

I was replying to the parent, who attributed this to the power of "open source & eyeballs looking at your code" but this is not such an instance.

[nknight]

Lots of projects provided the tools to do lots of things right in years past, but they eventually came to recognize that if they didn't provide secure defaults, they were ultimately harming everyone out of some twisted sense of principle. Insecure defaults are thus now considered a vulnerability in the original project.