There was a security bug in github. Regardless of whether it is due to bad defaults in Rails, it was still a security bug in github.
He exploited the bug and disrupted a project registered by another user. I'm shocked that they even reinstated his account at all. This was entirely irresponsible especially since for a brief period of time, it was a zero-day exploit that someone more malicious could have exploited.
Had github not responded so quickly, this stunt could have put a lot of people's repositories in jeopardy.