As noted at https://github.com/JTracker/jissues/blob/master/libraries/tracker/application/hooks.php#L103, we're pulling in the payload for the web hook scripts directly from the $_POST superglobal. Though we can assume that data received from GitHub would be properly cleaned, there's still the chance someone could IP spoof and attempt to do terrible things to the tracker instance. So, we should get the data via JInput.

When I first implemented the hooks, I tried and tried, but couldn't make it work. Anyone who's looking to work on this can find a sample payload at https://help.github.com/articles/post-receive-hooks which can be used to test the hook.