[gbrindisi]

I hate to be the one pointing out this but it's a shame that a company like GitHub will reward responsible disclosures just with a thank you and the promise to not pursue a legal action.

http://help.github.com/responsible-disclosure/

"white hat researchers are always appreciated"

[rflrob]

If what you're implying here is that they should be offering a bounty for discovery of bugs, I'm not necessarily disagreeing with you, but to expect them to get a policy about that and to allocate funding for those bounties on a Sunday, within 24 hours of a major, public breach seems a little unreasonable.

[gbrindisi]

I'm with you but still it's silly they didn't have a responsible disclosure program until today in the first place.

[simonbrown]

They did.