Note: GitHub discovered that a bug exposed a small number of users' passwords to their internal logging system, recording plaintext user passwords when users initiated a password reset. The bug was fixed in May 2018, and was introduced shortly before fixing it.
Disclosures:
Site uses a slow hashing function, this is disclosed "on-site", in the docs, FAQ, etc.