Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Cybersecurity Community Unhappy With GitHub’s Proposed Policy Updates

GitHub wants to update its policies regarding security research, exploits and malware, but the cybersecurity community is not happy with the proposed changes.

GitHub wants to update its policies regarding security research, exploits and malware, but the cybersecurity community is not happy with the proposed changes.

The community has been asked to provide feedback until June 1 on proposed clarifications regarding exploits and malware hosted on GitHub.

“Our policy updates focus on the difference between actively harmful content, which is not allowed on the platform, and at-rest code in support of security research, which is welcome and encouraged. These updates also focus on removing ambiguity in how we use terms like ‘exploit,’ ‘malware,’ and ‘delivery’ to promote clarity of both our expectations and intentions,” Mike Hanley, the CSO of GitHub, said in a blog post on Thursday.

He added, “These updates are aimed to set clear parameters for the security research community on how GitHub responds to abuse reports relating to malware and exploits on the platform, as well as provide transparency into how GitHub decides whether or not to place restrictions on projects.”

The proposed changes come after the Microsoft-owned code sharing service removed a proof-of-concept (PoC) exploit for the recently disclosed Microsoft Exchange vulnerabilities that have been exploited in many attacks. Some members of the cybersecurity industry were unhappy with the decision, alleging that it was likely only removed because it targeted Microsoft products and that similar exploits targeting software from other vendors have not been removed.

GitHub at the time said it removed the PoC in accordance with its acceptable use policies, and some experts pointed out that GitHub had in fact removed exploits targeting other vendors’ products, suggesting that the Exchange exploit wasn’t removed only because it was detrimental to Microsoft.

Now, GitHub wants to update its policies around malware and exploits to avoid problems in the future.

“Under no circumstances will users upload, post, host, execute, or transmit any content that: contains or installs malware or exploits that are in support of ongoing and active attacks that are causing harm,” reads the updated policy proposed by GitHub.

One paragraph that was added to the GitHub community guidelines reads, “GitHub will generally not remove exploits in support of vulnerability reporting or security research into known vulnerabilities. However, GitHub may restrict content if we determine that it still poses a risk where we receive active abuse reports and maintainers are working toward resolution.”

A majority of those who provided feedback are not happy with the proposed changes.

“By using verbiage such as ‘contains or installs malware or exploits that are in support of ongoing and active attacks that are causing harm’ in your use policy, you are effectively designating yourselves as the police of what constitutes ‘causing harm’. By one person’s definition, that may just be an exploit proof of concept, by another that may be the whole metasploit framework,” said Jason Lang, senior security consultant at TrustedSec.

Robert Graham of Errata Security noted that the use of wording such as “support of ongoing and active attacks” is “a vague catchall that’s impossible to determine if somebody has violated.”

“Hackers have already automated download of my code in their attacks, meaning that I’m violating the new rules technically,” Graham said.

In response to the criticism, Hanley noted that the feedback received by the company will be taken into account.

Related: GitHub Informs Users of ‘Potentially Serious’ Authentication Bug

Related: Details Disclosed for GitHub Pages Flaws That Earned Researchers $35,000

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.