Instead of focusing on the pull request maybe we should think about better vulnerability trajectories. Next time don't make a pull request. Just fork the project, add some dumb feature someone will want or need, then leave your fork out there on Github. Morons will pull it down and use it without ever checking the code.