I'm sorry, but this feels to me like an over-dramatized heap of bullshit.
First, the statement, "Rails. You clearly messed up." is self righteous bullshit at its finest. Rails didn't mess up; the programmer(s) at Github messed up. No conscientious developer lets the end user mass-assign variables carte blanche. But with that said, _every_ developer messes up every now and then despite their best efforts; some times they mess up in a big way.
Secondly, if a user discovered a vulnerability in something I wrote, and they handled it like homakov did, I'd ban the shit of them until I knew for sure that they weren't a threat.
Finally, Github handled this exactly the way many companies would handle it: it's called damage control. These guys are really good at what they do, they provide a great service and they offer-up a lot of their tools to the FOSS community.
First, the statement, "Rails. You clearly messed up." is self righteous bullshit at its finest. Rails didn't mess up; the programmer(s) at Github messed up. No conscientious developer lets the end user mass-assign variables carte blanche. But with that said, _every_ developer messes up every now and then despite their best efforts; some times they mess up in a big way.
Secondly, if a user discovered a vulnerability in something I wrote, and they handled it like homakov did, I'd ban the shit of them until I knew for sure that they weren't a threat.
Finally, Github handled this exactly the way many companies would handle it: it's called damage control. These guys are really good at what they do, they provide a great service and they offer-up a lot of their tools to the FOSS community.