Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Cybersecurity Community Unhappy With GitHub’s Proposed Policy Updates

GitHub wants to update its policies regarding security research, exploits and malware, but the cybersecurity community is not happy with the proposed changes.

GitHub wants to update its policies regarding security research, exploits and malware, but the cybersecurity community is not happy with the proposed changes.

The community has been asked to provide feedback until June 1 on proposed clarifications regarding exploits and malware hosted on GitHub.

“Our policy updates focus on the difference between actively harmful content, which is not allowed on the platform, and at-rest code in support of security research, which is welcome and encouraged. These updates also focus on removing ambiguity in how we use terms like ‘exploit,’ ‘malware,’ and ‘delivery’ to promote clarity of both our expectations and intentions,” Mike Hanley, the CSO of GitHub, said in a blog post on Thursday.

He added, “These updates are aimed to set clear parameters for the security research community on how GitHub responds to abuse reports relating to malware and exploits on the platform, as well as provide transparency into how GitHub decides whether or not to place restrictions on projects.”

The proposed changes come after the Microsoft-owned code sharing service removed a proof-of-concept (PoC) exploit for the recently disclosed Microsoft Exchange vulnerabilities that have been exploited in many attacks. Some members of the cybersecurity industry were unhappy with the decision, alleging that it was likely only removed because it targeted Microsoft products and that similar exploits targeting software from other vendors have not been removed.

GitHub at the time said it removed the PoC in accordance with its acceptable use policies, and some experts pointed out that GitHub had in fact removed exploits targeting other vendors’ products, suggesting that the Exchange exploit wasn’t removed only because it was detrimental to Microsoft.

Now, GitHub wants to update its policies around malware and exploits to avoid problems in the future.

“Under no circumstances will users upload, post, host, execute, or transmit any content that: contains or installs malware or exploits that are in support of ongoing and active attacks that are causing harm,” reads the updated policy proposed by GitHub.

One paragraph that was added to the GitHub community guidelines reads, “GitHub will generally not remove exploits in support of vulnerability reporting or security research into known vulnerabilities. However, GitHub may restrict content if we determine that it still poses a risk where we receive active abuse reports and maintainers are working toward resolution.”

A majority of those who provided feedback are not happy with the proposed changes.

“By using verbiage such as ‘contains or installs malware or exploits that are in support of ongoing and active attacks that are causing harm’ in your use policy, you are effectively designating yourselves as the police of what constitutes ‘causing harm’. By one person’s definition, that may just be an exploit proof of concept, by another that may be the whole metasploit framework,” said Jason Lang, senior security consultant at TrustedSec.

Robert Graham of Errata Security noted that the use of wording such as “support of ongoing and active attacks” is “a vague catchall that’s impossible to determine if somebody has violated.”

“Hackers have already automated download of my code in their attacks, meaning that I’m violating the new rules technically,” Graham said.

In response to the criticism, Hanley noted that the feedback received by the company will be taken into account.

Related: GitHub Informs Users of ‘Potentially Serious’ Authentication Bug

Related: Details Disclosed for GitHub Pages Flaws That Earned Researchers $35,000

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.