Andy reported a bug that would allow an attacker to upgrade a GitHub plan without setting up a payment method. This would be caught in the next billing cycle and any private repositories created on the unpaid plan would be locked. This still presented some risk and circumvented the intended plan-upgrade flow.
Thanks Andy, for participating in the beta test of this program.