Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Cybersecurity Community Unhappy With GitHub’s Proposed Policy Updates

GitHub wants to update its policies regarding security research, exploits and malware, but the cybersecurity community is not happy with the proposed changes.

GitHub wants to update its policies regarding security research, exploits and malware, but the cybersecurity community is not happy with the proposed changes.

The community has been asked to provide feedback until June 1 on proposed clarifications regarding exploits and malware hosted on GitHub.

“Our policy updates focus on the difference between actively harmful content, which is not allowed on the platform, and at-rest code in support of security research, which is welcome and encouraged. These updates also focus on removing ambiguity in how we use terms like ‘exploit,’ ‘malware,’ and ‘delivery’ to promote clarity of both our expectations and intentions,” Mike Hanley, the CSO of GitHub, said in a blog post on Thursday.

He added, “These updates are aimed to set clear parameters for the security research community on how GitHub responds to abuse reports relating to malware and exploits on the platform, as well as provide transparency into how GitHub decides whether or not to place restrictions on projects.”

The proposed changes come after the Microsoft-owned code sharing service removed a proof-of-concept (PoC) exploit for the recently disclosed Microsoft Exchange vulnerabilities that have been exploited in many attacks. Some members of the cybersecurity industry were unhappy with the decision, alleging that it was likely only removed because it targeted Microsoft products and that similar exploits targeting software from other vendors have not been removed.

GitHub at the time said it removed the PoC in accordance with its acceptable use policies, and some experts pointed out that GitHub had in fact removed exploits targeting other vendors’ products, suggesting that the Exchange exploit wasn’t removed only because it was detrimental to Microsoft.

Now, GitHub wants to update its policies around malware and exploits to avoid problems in the future.

“Under no circumstances will users upload, post, host, execute, or transmit any content that: contains or installs malware or exploits that are in support of ongoing and active attacks that are causing harm,” reads the updated policy proposed by GitHub.

Advertisement. Scroll to continue reading.

One paragraph that was added to the GitHub community guidelines reads, “GitHub will generally not remove exploits in support of vulnerability reporting or security research into known vulnerabilities. However, GitHub may restrict content if we determine that it still poses a risk where we receive active abuse reports and maintainers are working toward resolution.”

A majority of those who provided feedback are not happy with the proposed changes.

“By using verbiage such as ‘contains or installs malware or exploits that are in support of ongoing and active attacks that are causing harm’ in your use policy, you are effectively designating yourselves as the police of what constitutes ‘causing harm’. By one person’s definition, that may just be an exploit proof of concept, by another that may be the whole metasploit framework,” said Jason Lang, senior security consultant at TrustedSec.

Robert Graham of Errata Security noted that the use of wording such as “support of ongoing and active attacks” is “a vague catchall that’s impossible to determine if somebody has violated.”

“Hackers have already automated download of my code in their attacks, meaning that I’m violating the new rules technically,” Graham said.

In response to the criticism, Hanley noted that the feedback received by the company will be taken into account.

Related: GitHub Informs Users of ‘Potentially Serious’ Authentication Bug

Related: Details Disclosed for GitHub Pages Flaws That Earned Researchers $35,000

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...