I recently discovered and disclosed some rather serious cross-site request forgery vulnerabilities to the security team at github at 2:30 AM =p, and they managed to get a fix implemented and rolled out by 10:30 AM. That is a truly badass turnaround and they should be fiercely commended for their work.

The vulnerabilities themselves were pretty chumpy though. There was nothing being done to stop someone from tricking a logged in user into deleting their repositories / replacing their email / password / etc. I am glad it was fixed so quickly, but less than ecstatic about it being there in the first place. Github has been around for long enough (firmly and very specifically in the web technologies fields) that this should not have been an issue.

Please be aware of csrf people, it will mess up your day.