I think there's a pretty big difference between an engineer writing thread-unsafe code, testing and seeing inconsistencies that (incorrectly) appear to not affect any external users, shipping it, and then the security team finding the problem and developing new processes to prevent this in the future — vs the CTO of Gab writing raw SQL using string concatenation, shipping it without code review, and then trying to cover it up afterwards.
No software maintained by a large team will be bug-free forever, and that includes security bugs. The response to bugs is what matters. In this case Github's response was quite mature; in Gab's case, it wasn't.
The billions doesn't automatically scale development. You know that. Every development is still done at the human level. But you still might be right that there is no excuse.
No software maintained by a large team will be bug-free forever, and that includes security bugs. The response to bugs is what matters. In this case Github's response was quite mature; in Gab's case, it wasn't.