You are actually very protected in documenting security flaws, and even republishing them.
I am unsure of who you think enforces laws... as far as I know OpenAI doesn't have their own police force yet.
They can sue you of course, but they generally can't demand compliance with takedowns in this case without first going to a judge and requesting a court order.
There is no "commercial law" unless you mean UCC.. which doesn't apply here.
Still, there's nothing illegal about GitHub deleting your repo for any reason they choose as long as they're a private entity not owned by the government.
I'm not a lawyer or even an American but that certainly isn't how the DMCA works. The takedown is issued against the hosting company and, if they comply, they have no further liability. If they don't comply, they are liable in court so, of course, they all comply.
There's a difference between being compelled by a court order to take down a repo and choosing to comply with a DMCA takedown notice of dubious validity because you don't want to waste any more time on the issue and are happy to screw your users.
You are actually very protected in documenting security flaws, and even republishing them.
I am unsure of who you think enforces laws... as far as I know OpenAI doesn't have their own police force yet.
They can sue you of course, but they generally can't demand compliance with takedowns in this case without first going to a judge and requesting a court order.
There is no "commercial law" unless you mean UCC.. which doesn't apply here.