I feel like this relies more on social engineering itself than anything else. I think confirmations / captchas should be in use for any critical functionality any way, but watching the exploit vid makes it seem like I can submit a bug for a user going to GitHub, downloading malware, then running that malware, because an email told them they should. The extra tab involvement wouldn't raise any red flags for a user?