That actually sounds like an awful way to report an XSS. Honestly, as someone that maintains a web service I have to say I'd prefer private disclosure than even the rickroll approach. All it takes is one "genius" doing some copy-paste action and then you're in a world of hurt and damage control.
Regarding this and the other response to me. I would never do what I described. I was just trying to demonstrate to those that don't understand XSS properly, that these issues are serious. I don't think a Rick Rolling really gets that issue across.
If I do an XSS attack against you on github whilst you are logged in, I can compromise all of your source repositories, your code, and in turn, potentially compromise the systems of your users.
Yes, soon after posting I realised it wasn't the best idea I've ever had. I regret posting this before the Github guys got a chance to fix the hole. Not something I'm going to repeat.