Security Experts:

Cybersecurity Community Unhappy With GitHub's Proposed Policy Updates

GitHub wants to update its policies regarding security research, exploits and malware, but the cybersecurity community is not happy with the proposed changes.

The community has been asked to provide feedback until June 1 on proposed clarifications regarding exploits and malware hosted on GitHub.

“Our policy updates focus on the difference between actively harmful content, which is not allowed on the platform, and at-rest code in support of security research, which is welcome and encouraged. These updates also focus on removing ambiguity in how we use terms like ‘exploit,’ ‘malware,’ and ‘delivery’ to promote clarity of both our expectations and intentions,” Mike Hanley, the CSO of GitHub, said in a blog post on Thursday.

He added, “These updates are aimed to set clear parameters for the security research community on how GitHub responds to abuse reports relating to malware and exploits on the platform, as well as provide transparency into how GitHub decides whether or not to place restrictions on projects.”

The proposed changes come after the Microsoft-owned code sharing service removed a proof-of-concept (PoC) exploit for the recently disclosed Microsoft Exchange vulnerabilities that have been exploited in many attacks. Some members of the cybersecurity industry were unhappy with the decision, alleging that it was likely only removed because it targeted Microsoft products and that similar exploits targeting software from other vendors have not been removed.

GitHub at the time said it removed the PoC in accordance with its acceptable use policies, and some experts pointed out that GitHub had in fact removed exploits targeting other vendors’ products, suggesting that the Exchange exploit wasn’t removed only because it was detrimental to Microsoft.

Now, GitHub wants to update its policies around malware and exploits to avoid problems in the future.

“Under no circumstances will users upload, post, host, execute, or transmit any content that: contains or installs malware or exploits that are in support of ongoing and active attacks that are causing harm,” reads the updated policy proposed by GitHub.

One paragraph that was added to the GitHub community guidelines reads, “GitHub will generally not remove exploits in support of vulnerability reporting or security research into known vulnerabilities. However, GitHub may restrict content if we determine that it still poses a risk where we receive active abuse reports and maintainers are working toward resolution.”

A majority of those who provided feedback are not happy with the proposed changes.

“By using verbiage such as ‘contains or installs malware or exploits that are in support of ongoing and active attacks that are causing harm’ in your use policy, you are effectively designating yourselves as the police of what constitutes ‘causing harm’. By one person's definition, that may just be an exploit proof of concept, by another that may be the whole metasploit framework,” said Jason Lang, senior security consultant at TrustedSec.

Robert Graham of Errata Security noted that the use of wording such as “support of ongoing and active attacks” is “a vague catchall that's impossible to determine if somebody has violated.”

“Hackers have already automated download of my code in their attacks, meaning that I'm violating the new rules technically,” Graham said.

In response to the criticism, Hanley noted that the feedback received by the company will be taken into account.

Related: GitHub Informs Users of 'Potentially Serious' Authentication Bug

Related: Details Disclosed for GitHub Pages Flaws That Earned Researchers $35,000

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.