I don't think that is a fair assessment of him, even then.
At any case, I hired him fairly recently for a security audit and he worked quickly, and was very effective (he found several important vulnerabilities and reported them in a crystal clear manner). He was also a pleasure to deal with (no bullshit stance, something I find enjoyable).
The 4000 USD for ~20 hours of work were definitely well spent!
The parent was asking why Github haven't hired him, not why nobody has hired him. If you remember, Github actually banned him for hacking the Rails account in his pentesting.
Yeah, the first Github and Rails exploit is the one that still sticks out in my mind. That kind of thing can be hard to shake, but it helps that you were quite young at the time. I'm happy to see you've matured a lot since then.
I think his behaviour was commendable - he tried many many times to warn, going to multiple people and projects, but they all ignored him - they were too busy being Gem installing Ruby hipster Brogrammers to consider security, and it bit them hard in the backside.
I'm incredibly interested in angling my career towards security and have no real experience.
Wouldn't it also be wise to keep people like him 'out of the loop', I imagine it's much harder to audit when they have access to internal code/architecture that would be difficult for an outsider to stumble-upon?
he gets paid $400/hr doing consulting for YC Companies and other startups and companies, he is from Russia, and now lives in Bangkok, when he becomes rich he wants to live in Hong Kong, pretty nice for a 20 year old, I don't see any glaring reasons to work for Github http://egorhomakov.com/
400 USD/hour is a great rate anywhere in the world, even the most expensive cities.
But abcd_f's comment is right about one-off 4-hour projects vs. long-term contracting. Non-billable time overhead spent on finding clients, negotiating contracts, mentally switching projects, or just sitting idle can negate the benefits of a high hourly rate.