@rohit-dua discovered a way to sign up for a paid organization plan without providing billing information. When a user creates an organization they can either choose a paid plan for unlimited private repositories or a free plan for unlimited public repositories. When a user chooses a paid plan, we collect billing information before creating the organization. However, @rohit-dua observed that you could submit the form for a free plan, but change the plan type to a paid plan, without providing any billing details. This could have allowed an attacker to create an organization with a paid plan without being charged for the duration of the plan (monthly or yearly).
We addressed the vulnerability by validating the billing information before setting the newly created organization’s plan type.