I’m pretty sure I was the first to report this issue. Suddenly a build server started acting up, rebuilding a repo which hasn’t been touched in months… and with thousands of new commits… and the tests were failing because the scripts being called didn’t exist anymore. It took a lot for me to believe what happened, and I felt like it took a lot to convince Github it was happening, too. It was a really scary Friday night.
How did that communication take place? Did it happen only over email or did you speak to anyone on the phone?
I tried reaching out to people I knew, and was redirected to support@. Someone pointed me to firstname.lastname@example.org, but eventually went through a security expert on Twitter to connect me directly when I hadn’t received a response from Security after some time. I haven’t spoken on the phone. After I got it reported to Github, I sent a very carefully worded notification email to the company whose private repo I downloaded. I did this both to let them know, but also so they would close the loop on Github after a fairly quiet response.
Incidents like this lay the foundation for my (unhealthy?) obsession with using actual, heavily restricted system accounts and SSH key pairs.