Is this a GitHub security vulnerability?

Judge for yourselves

As a complete security newbie, bug bounty programs seem like a fun thing to participate in and a great learning experience. GitHubs in particular, since I use and enjoy their service very much.

While searching for a vulnerability on GitHub, I stumbled across the githubusercontent.com domain from which GitHub serves static content. For example, if you put an image in one of your gists it’s cached on githubs servers and the copy at githubusercontent is served, not the original.

The thing is, when caching SVG files GitHub preforms no sanitation whatsoever of the content.

The most I could get from this was a rather not-interesting XSS. When clicking on a malicious SVG image, arbitrary JS is ran but only in the context of githubusercontent.com and only on browsers that don’t support Content-Security-Policy (e.g. IE). Here’s a POC.

This isn't a serious problem at all and GitHub said, in reply to an email I sent, that “We might change the behavior in the future, but for now we are considering this to be low risk.”

However, some people that I asked about this pointed out that this may lead to slightly more serious problems such as clickjacking.

I don’t have the expertise to provide a POC for other vulnerabilities but I have a hunch they exist, so I’m putting this out in the open so more experienced security researchers can have a go at it.

Good luck.