@not-an-aardvark reported that titles of private issues could be disclosed by marking a private issue as a duplicate of a public issue. New additions to keyword workflows in GitHub.com allow a user to comment on an issue and mark it as a duplicate of another. This action adds an indication on the referenced issue allowing other users to quickly view all issues that are duplicates of each other. In this case, private issue titles and private repo names would show up if a collaborator on a private repo marked an issue in that private repo as a duplicate of an issue found in a public repo.
We addressed this issue by refactoring our authorization checks for issue metadata. This issue does not effect GitHub Enterprise.