Is Twitter/X the right channel to announce a security event like this?
I ask because I don’t see anything posted on their official blog or status page.
Is Twitter/X the right channel to announce a security event like this?
I ask because I don’t see anything posted on their official blog or status page.
It's certainly not the right platform. It'd be one thing if they had any official communication on the matter anywhere else. Maybe they're ashamed and are trying to limit the visibility while only technically issuing an announcement.
They announced this exclusively on X.com, which ranks barely above Pinterest in terms of usage. That's below Reddit, Snapchat, WeChat, and Instagram, and requires a user account to view profiles and posts. And that's ignoring all the reasons X is a divisive platform with an extreme political bent.
GitHub chose not to announce this on any other social media either (BlueSky, Facebook, TikTok, YouTube, LinkedIn, or Mastodon, as of this posting, and with no emails sent on the matter.)
Who the heck follows Github on Snapchat, TikTok, YouTube, Pinterest, Instagram, Reddit, Facebook, WeChat?
Wherever they posted, there’s at this time two articles on the Hacker News front page. Sounds like they have reached their audience.
> Maybe they're ashamed and are trying to limit the visibility while only technically issuing an announcement.
I think that's panic mode from some decision maker (i.e. head of marketing or head of security).
twitter has been the platform for announcing news for many an organization.
I dont see why it cannot be so - it's still big, and has a huge network effect. Are you sure you're against it simply because of your personal bias?
[dead]
Lol. Saying things doesn't make them true, man. Everyone in tech who matters is on X.
Nobody's going to post on BlueSky or Reddit because they don't matter. You know this, I know this, they know this, let's just all be real here.
I’m not on X, so it’s good to know I don’t matter in tech. I always suspected. Since I’m a paying GitHub customer, though, I should probably matter to them. The right forum for GitHub to post this is with their status page, their blog, their website, or an email to all their customers. Using any sort of social media for this kind of thing is either incredibly sloppy or very intentionally quiet. Given that my tiny employer has a better incident communication plan than this, my guess is this an attempt to downplay things.
Company news really should be posted on a company website first, other platforms secondly in my opinion.
> Saying things doesn't make them true, man. Everyone in tech who matters is on X.
The cognitive dissonance is insane here. Indeed, saying things doesn't make them true. Even for you. Facts don't care about your feelings.
Maybe we need a cultural shift then, because if one needs to use a platform like X, nowadays owned and operated by fascists, then there's something deeply wrong with the tech world. It'd probably take a lot of effort to do so, but it'd be absolutely worth it.
Besides, even if that wasn't a consideration, only posting the announcement to X is just crazy. As others have said, you'd expect for GitHub to make the announcement on their official website. Any paying client would then just follow that for their announcements.
I just spent a few minutes trying to think of a better place, I can't think of one, there is no professional social network, and linkedin doesn't qualify.
You don't need a professional network. This is a company informing customers about a security issue. It should be on their website. Anyone can subscribe to the RSS feed if they are a customer. Remember RSS? There is no need to add a social network element.
Even if it's a wingnut dense place, there's good arguments for using a channel independent of your infra in a case like this. They don't know if their status page is pwned.
It's been pretty common in the past for tech companies to announce outages and quick updates about them on twitter for decades. I'm sure their status page etc will be updated soon, but it's historically been the fastest way to get things out to the wider audience whilst bypassing the "official mail out" review by marketing etc.
I think that was a lot more justifiable when Twitter reliably let logged out users read tweets. X seem to tweak it all the time, or maybe it’s just broken a lot, but sometimes I can’t even load a tweet in a browser that isn’t logged in.
They should send messages directly to their customers as a first step in addition to posting an official article on their site. That’s the minimum. If they haven’t done that then it is hard to defend.
Beyond that, Twitter is the de facto default dissemination vehicle, due to its reach. Even if people are not on Twitter, they are likely to see things from people that are on Twitter.
It’s a very popular messaging platform for tech enthusiasts.
also a very popular messaging platform for [redacted] enthusiasts
So? Is this where your corporate paying clients should find out about an issue of this severity?
Not to mention Twitter is not an open platform anymore! (A) I'm an employee in an organization paying for Github. (B) I don't have a Twitter account. I already have a Github account because of (A). Why should (B) stop/delay me from getting official comms about this?
I can't imagine they'd spam every account with an email address, though an email to organization owners would make more sense.
> I can't imagine they'd spam every account with an email address
It's not "spam" if it is relevant to me, such as security incident disclosures.
Also, as tiffanyh pointed out, what's wrong with Github blog or is that exclusively for marketing fluff now? That would've been appropriate enough, without having to spend Sendgrid credits.
Mailing every (potentially) affected entity is common and good practice for major incidents.
Isn't it the first stop for the USG at this point? I mean, I wish the world were a different place but here we are.
watch it turn out to be that their twitter account is what was hacked, and github.com is actually fine
Probably the best option after sending a mass email when customers need to take action. The status page is for reliability issues impacting end users & the blog is for in-depth analysis.