While developing github-org-members.js, a JavaScript library to display the members of a GitHub organization, @IonicaBizau identified and reported a bug where the private members of an organization could be listed via the API using a scopeless OAuth token for a member of that organization. We addressed this by restricting the API to only return public members when accessed with a scopeless OAuth token.