As with any insider trading case, they just need to prove access to the information. So either a witness needs to come forward and say "I told X to Y executive" or they need email/phone records which prove that such information was shared with these individuals.
Unlike crimes like murder, insider trading is not predicated on intent, so proving intent is unnecessary.
Interesting. In that case, isn't all trading, given you work for an employer, "insider trading." If you see a bug opened on your company's GitHub and think it's crucial and sell all of your stock that's insider trading right?
IANAL but I believe that the spirit of the law being that insider trading is when you use confidential/privileged information to decide your trades. In this case IF they knew about the breach and made trades before a public announcement then that is insider trading. As for github bug report, that seems like a legal gray area.
Did you choose GitHub because (most) repositories there are public? If that's the question, I'm pretty sure it wouldn't be insider trading, because by definition it wasn't inside knowledge.
(Unless it required other, non-public data to know that the bug was important)
Also, if there was a "bad vibe" at the company, but they didn't specifically know about the breach, would that be insider trading?