>For the record, I didn't publish vulnerable systems, I published stores that have malware.
This is a crucial point, because it shows GitLab is basically nonresponsive to the key issue; it's the difference between "Here's how to hack Giant Anchor Retailer" (unethical, possibly illegal) and "Giant Anchor Retailer has been hacked, estimated NNN cards may have been compromised" (of public interest, not illegal). In my case, I want to know if I used any of the retailers on the list!
For GitLab to call this "egregious" and that they "will not abide it" suggests that either GitLab is technically incompetent in security matters, or that they've received legal notices and decided that the shortest path to resolution is to throw their users under the nearest publicly-operated multiwheeled passenger conveyance. In either case, poor show, good reason to seriously consider moving off GH and GL.
This is a crucial point, because it shows GitLab is basically nonresponsive to the key issue; it's the difference between "Here's how to hack Giant Anchor Retailer" (unethical, possibly illegal) and "Giant Anchor Retailer has been hacked, estimated NNN cards may have been compromised" (of public interest, not illegal). In my case, I want to know if I used any of the retailers on the list!
For GitLab to call this "egregious" and that they "will not abide it" suggests that either GitLab is technically incompetent in security matters, or that they've received legal notices and decided that the shortest path to resolution is to throw their users under the nearest publicly-operated multiwheeled passenger conveyance. In either case, poor show, good reason to seriously consider moving off GH and GL.