I would go as far as to say every single [beginner] user of Rails too. If it wasn't for all this, I'd never have known there was a gaping exploit I'd need to patch up in my own app in development.

This, in and of itself, is a major flaw in their documentation. It's like PHP's mysql functions not mentioning escaping strings on their manual pages, but instead burying it all entirely elsewhere, where you'd never think of looking.

"You should have read every single page of the documentation, then you'd know we briefly mentioned mysql_real_escape_string() and prepared statements that prevents this issue."

I mean, the least you can do if you won't provide a fix, or sensible defaults, is to make it abundantly clear you have to correct it yourself. (Bit of a broken record with this schtick, sorry!)

Github was right to ban the guy. He did hack them roundly after all.

On the other hand, he did it in a largely non-malicious way and even managed to expose those Rails knuckleheads for the greater good.

Github should find a way to let him back in, intentionally. Perhaps they could offer him to create a new user and they could give him some of his repositories back (if any were important).

Edit: It appears Github has in fact reinstated him.

GH is playing to two audiences here. The hackers agree with you, but the corporate types (those who play by the rules) don't. GH stands to lose more by alienating the naive mob who think banning the account makes an iota of difference than it has to gain by trying to please the rest of us. GH is acting risk-averse with its PR strategy.

My prediction: Egor gets a job offer from GH within 2 months.

They should hire the kid, not bitch about it.

He wasn't upfront about everything what he was doing, so we had to investigate.