Security Experts:

Microsoft to Acquire GitHub for $7.5 Billion

Microsoft on Monday announced that it has agreed to acquire software development and collaborateion platform GitHub in a deal valued at $7.5 billion.

Under the terms of the agreement, Microsoft will acquire GitHub for $7.5 billion in Microsoft stock. The deal is expected to close by the end of 2018, subject to customary closing conditions and regulatory review.

GitHub is a cloud-based repository for source code, offering hosting, version control management and code collaboration capabilities. It is thought to have 27 million developers using its services in nearly every country in the world, and to host 80 million code repositories. Microsoft is already a major user of GitHub, reportedly with more than 1,000 employees pushing code to GitHub repositories.

GitHub was valued at $2 billion dollars at its most recent funding round in 2015.

The acquisition makes sense for Microsoft with its increasing involvement with Linux and open source projects. There is, however, concern among many of the independent developers using the service, pointing to a perceived performance reduction from both LinkedIn and Skype following earlier acquisition by Microsoft.

"LinkedIn has turned into a slow-loading junk after the Microsoft acquisition. I can only imagine what awaits GitHub," tweeted  Catalin Cimpanu.

A further concern is that ownership could give Microsoft access to the source of potentially competitive or disruptive projects. "This is not all about Microsoft," was another tweet. "This is about the independence of what has become the de-facto home of open source. It shouldn't be owned by any company that has any agenda other than host that home."

Robert Graham of Errata Security has a different concern. GitHub has a history of national censorship attempts -- a DDoS out of Russia in 2014; blocked in India in 2014; a DDoS apparently out of China in 2015; and blocked in Turkey in 2016. On February 28, 2018, GitHub was hit by a world record DDoS peaking at 1.35 Tbps.

His concern now is that China would be able to censor GitHub via Microsoft. It cannot currently censor individual pages (such as those about the Tiananmen Square massacre in 1989) because GitHub forces the use of SSL/TLS, so the China Firewall cannot see which pages are being accessed. "The only option," he tweeted "would be to block the entire site, all access to http://GitHub.com, but China can't do that either, because so much source code is hosted on GitHub -- source code their industry needs in order to build products."

As an independent organization he believes that GitHub is too important to be blocked by the Chinese government. "When Microsoft buys GitHub, however, China will now have leverage, threatening other Microsoft interests in China in order to pressure Microsoft into censoring some GitHub pages."

In the meantime, with few details of the terms and conditions, users' reactions have been largely emotional. There was widespread concern that Microsoft's motive in buying LinkedIn was to gain access to the personal details of the world's business management. There is similar concern now that Microsoft is seeking to gain some form of control over the world's open source software.

This is unlikely. SecurityWeek spoke to Robin Wood (aka DigiNinja), an independent penetration tester who uses GitHub to host the tools he develops for his trade. Assuming the purchase is finalized, "I think the important thing to look at is the exact details of the terms and conditions and any changes they decide to make to it," he told SecurityWeek. "There may be clauses in there about ownership or use without license that currently don't mean much but could mean a lot with the change of ownership."

For the moment, he is not worried by the takeover. "There are a number of established alternatives, so they can't do much to mess up actual usage otherwise people will just move away. So probably no real change for most users of the service but some with tools that Microsoft are interested in may be hit."

For himself and his own repositories, "I won't be moving my tools unless there are any specific negative changes that affect me, but I reckon there will be a bunch of people jumping ship early just in case, and another bunch fear-mongering about all the nasty stuff that might happen, most of it just guess work."

Microsoft Corporate Vice President Nat Friedman, founder of Xamarin and an open source veteran, will assume the role of GitHub CEO. GitHub’s current CEO, Chris Wanstrath, will become a Microsoft technical fellow, reporting to Executive Vice President Scott Guthrie, to work on strategic software initiatives, Microsoft said.

Related: GitHub Security Alerts Lead to Fewer Vulnerable Code Libraries 

Related: GitHub Paid $166,000 in Bug Bounties in 2017 

Related: Microsoft Brings End-to-End Encryption to Skype 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.