I've bought from the Humble Store twice recently, both transactions have been accepted instantly (i.e. before being included in the blockchain).

I don't believe that anyone's heard of a successful Bitcoin double-spend attack against a competent merchant yet.

That's because protection was added (about a year ago I think) to rapidly broadcast detected double-spends through the network. Before the canary function, it actually used to be pretty easy to get a double-spend accepted into the network within 5 minutes of the first spend.

The Humble Bundle uses Coinbase to accept bitcoin, so they'd be completely insulated from actually dealing with bitcoin. I did notice that I got the payment confirmation & game link email when the transaction I sent had 1 confirmation though.

I wonder how many of their sales processed by Paypal get reversed.