IANAL but I believe that the spirit of the law being that insider trading is when you use confidential/privileged information to decide your trades. In this case IF they knew about the breach and made trades before a public announcement then that is insider trading. As for github bug report, that seems like a legal gray area.