200 pts
@tomvangoethem along with @mathiasbynens discovered that Gist could leak Referer headers for Gists containing certain user-content. This did not allow an attacker to disclose the private URLs of arbitrary Gists. We remediated this issue within modern browsers by adding support for the <meta name="referrer" content="never"> tag on private Gists.
500 pts
Along with @mathiasbynens, @tomvangoethem discovered an Open Redirect vulnerability in GitHub.com. An attacker could have exploited this vulnerability to redirect users from GitHub.com to arbitrary sites. We have addressed this issue by improving our redirect URL checking.
