@pouyadarabi discovered it was possible to register for the GitHub Developer Program without a paid plan. While we were validating that a user was on a paid plan when rendering the program registration interface, we were not doing the same validation when a registration was submitted. We addressed the vulnerability by adding a check to the registration endpoint.