From the ‘Bender from the Future’ files:
Over the last several years, github has become the premier development hub for all things open source.
So when the github platform as a whole has a security problem, open source developers really need to take notice.
Late last week, a flaw in the underlying github ruby code was discovered and reported to github. Github disagreed with the severity and closed the bug without fixing it, which led to one of the best back/forth discussions I’ve ever seen in an open forum about a security issue. You see the researcher that discovered the flaw, Egor Homakov didn’t stay quiet, he kept pushing the issue.
One of my favorite Homakov posts was titled,” geez. github y u SO open?” which was part of his thread, “I’m Bender from Future.”
For his efforts, Github didn’t reward Homakov, instead they suspended him from Github. To Github’s credit they did eventually reinstate Homakov.
The problem with this whole security issue, is that at the core, it’s an exploit that could have enabled anyone to inject anything they wanted to, into any Github account. That’s a major problem, whether it’s in Rails or anything else on Github. Instead of dealing with Homakov responsibly, Github put roadblocks in his way, until he forced their hand.
I strongly suspect that after this issue, Github won’t be as flippant the next time a security flaw is reported. I really do wonder however how many other issues are in the Github platform that have been ignored, issues where the researcher wasn’t as aggressive as Homakov.