All companies should be doing internal penetration/security testing. If you don't do it, someone in China or Russia will do it for you, you just won't know. I hope GitHub is doing this too. Google, for example, has an entire team whose task it is to exploit such attack vectors and close the holes in all sorts of products and processes, often with stunning results. I'm not sure if the rest of FAANG does this, although I'd be surprised if Facebook doesn't do essentially the same. I would not be surprised if Amazon or Apple don't do it, at least not to the extent you'd see at Google (no holds barred, the red team gets to pwn everything). Netflix, I'm not sure, they probably have something. Microsoft probably doesn't do it, since it'd make people look bad, and in their back-stabbing corporate culture people can't afford to look bad.