The public are told all the time to beware of giving out information—even to (what appears to be) trusted sites, if they aren’t absolutely sure it’s genuine. Asking via email, and collecting information on a third-party website (Google Forms), are warning signs. So when a legitimate survey comes along, it needs to avoid:
- Raising incorrect suspicions (reduces number of replies received, wastes support/community time in answering threads like this one).
- Undermining security messages (this one was legit, so people are more likely to hand out information next time).
What I think anyone running a survey/giveaway needs to do is to have a source of information about it, separate from the request and verifiably from the genuine organisation (so, on the GitHub website).
At a minimum, there should be some statement like: yes, we sent this email, and yes, we want you to go fill out this Google Form. I expect, and I think most people expect, to see terms and conditions as well. Ideally there’d also be some confirmation: your survey has (or hasn’t) been received and we’re including (or not including) you in the giveaway.
I recognise that the survey that prompted this was meant for a limited number of people, and secrecy and transparency can be hard to balance (how do you publish terms and conditions for a private offer without making it public?). But surely there are best practices out there for this already.