If you're investigating a security situation, you don't have to say squat. Whether you were in the right or the wrong, explain what happened and apologize to those where were affected once the facts are understood, as they have done here.
It takes time and energy to come up with responses such as this (not a lot, but every bit counts in an emergency), and those are resources that you should be using the solve the problem. Not to mention that saying the wrong thing is worse than saying nothing at all.
It's basic emergency management: 1) stabilize the situation, 2) figure out what's going on, 3) fix it, and then 4) explain what happened to the stakeholders. I see nothing wrong with github's actions here.
That is irrelevant. The world doesn't stop turning on the weekend. It was in Github's best interests to get out ahead of this, and they did. They don't need to be commended for it just because it's Sunday.
Actually, the world _does_ stop turning because it's Sunday. Anything happening on the weekend is emergency management, which takes time to scramble. I work in network/information security, and if we had a security incident on a Sunday, it would go to our backup team (of one). If they (he) deemed it critical, they would notify the security director, who would notify my boss, who would notify the rest of the team. This would take 3-5 hours, plus the amount of time it took us to get to the office and actually investigate the emergency. While we were investigating, we would likely shut down everything (including user accounts that were involved).
Weekends are time away from the office. I don't understand how you could expect the same amount of service on a weekend opposed to a week day. Do they deserve to be commended just because it was a weekend? Internally maybe, yes, externally maybe not. Fact remains that the weekend is when they are most likely to be short-staffed.
I agree. But we're talking about software as a service here, and that kinda makes it a different ballgame. Folks are paying money (in some cases) to use your software living on your servers (or, at least servers that you manage). I would certainly hope that someone who can deal with outages or penetrations is actually working on the weekend (perhaps that person doesn't work Monday and Tuesday?).
Would you say "eh, but it was the weekend" if an attacker purged your paid enterprise repo on a Sunday morning?
Not all Muslim countries do though. All north african countries have a saturday/sunday weekend, except Egypt. and even in Egypt some companies make sure a subset of their employees work on their weekend because, well, most of their partners are working.
I think it could be reasonably inferred that when someone says "the world stops turning", it's being used metaphorically. Kind of like "stop the presses".
It takes time and energy to come up with responses such as this (not a lot, but every bit counts in an emergency), and those are resources that you should be using the solve the problem. Not to mention that saying the wrong thing is worse than saying nothing at all.
It's basic emergency management: 1) stabilize the situation, 2) figure out what's going on, 3) fix it, and then 4) explain what happened to the stakeholders. I see nothing wrong with github's actions here.