Possibly years? They probably wont know either - I can imagine that this could be hard to track if someone is careful enough.

Between the time Homakov made his work public and the time it took them to fix it? I think it was close to an hour and on a Sunday. I doubt there are any other cases.

And we're confident that this guy is the only guy to ever exploit that weakness on github in the last 4 years?

No, we are not. My bad, I misunderstood the statement; I thought he was referencing yesterday only, which I thought might not be possible, given the sort amount of time. Obviously if other people knew that's a whole different story.