My recollection (though I don't know much about rails and this is just going from memory) is that he attempted to make an argument to the rails team for more secure defaults in parameter parsing and for the framework to steer apps towards more secure use. When they brushed him off and said it was ultimately the caller's responsibility to use it right, he exploited github to make his point.