Hello, @that-pat, I am sorry for resurrecting an old thread, but I have a somewhat related question. I've recently found out that it is possible to check if the user exists on GitHub by committing using the user's email and pushing the commit to a repository on GitHub (the repository may even be private and inaccessible to anyone else). After that, you can check the commit page, and if the email is linked to a GitHub user and is verified (even though it may be non-primary or private), there will be a link to that user's profile page. So, I was just wondering, what's the GitHub's take on that? I understand that abusing this would probably be a violation of GitHub TOS and/or Github Privacy Statement, but in my opinion, this is also a security issue that should be fixed. For example, GitHub already counts commits on user's contributions graph with the following rules applied: Quote from "Why are my contributions not showing up on my profile?": In addition, at least one of the following must be true: You are a collaborator on the repository or are a member of the organization that owns the repository. You have forked the repository. You have opened a pull request or issue in the repository. You have starred the repository. Could it maybe be possible to apply the same rules when displaying the links to GitHub user's profile page? That would make it much more difficult to link the private email address to someone's GitHub user account. There could also be an option in the email settings controlling the behavior of linking the profile when the email is found in a commit. Thanks!
... View more