That is why this just seems like petty bureaucratic revenge. It looks good for PR purposes and placates other users ("look we got rid of the problem, the hacker has been eliminated").

I think it is more likely they need to verify that he only did what is currently known about and nothing else (such as if he had granted himself access to some private repos, for instance). Much safer to suspend/terminate his account first just in case. They are likely combing access logs, etc. Maybe they will reinstate it later after a review. Who knows other than Github.

It could also be to reduce legal culpability. If they left his account enabled and he had granted himself access, and later did more damage, they might be liable for negligence? Not sure. IANAL, etc.

> It could also be to reduce legal culpability.

Ok that makes sense. In light of that they most likely acted rationally and correctly.

They claim to have fixed it. http://news.ycombinator.com/item?id=3663313

If they were thorough enough to fix it everywhere in their code is a different matter, though.

I believe Github has patched this specific vulnerability.

Ethics? He's made his point.