Yes. Simply publishing on GitHub makes it's a TOS violation. You're free to blab all you want. Just host it on your own server and maybe even your own ISP. The code will be protected, but the publishing is not!
“Our clickwrap terms of service prohibit users from talking about dangerous defects in our products without telling us and keeping it a secret for a month” is a hell of an argument to even attempt in front of a judge, let alone to be accepted.
Again, there isn’t really any case law I can find suggesting that skipping responsible disclosure opens you to any legal liability - which is the argument being made here.
Again, there isn’t really any case law I can find suggesting that skipping responsible disclosure opens you to any legal liability - which is the argument being made here.