GitHub launches a new policy about hosting malware source code

by ddos · June 7, 2021

GitHub recently released its updated community guidelines, explaining how the company will deal with vulnerabilities and malware samples hosted on its services.

Security researcher Nguyen Jang uploaded a proof-of-concept (PoC) to GitHub in March, which is a Microsoft Exchange ProxyLogon vulnerability. Soon after uploading the PoC, Jang received an email from GitHub stating that the PoC was deleted due to a violation of the Acceptable Use Policy. In the statement, GitHub stated that it deleted the PoC to protect the Microsoft Exchange server that was heavily exploited at the time.

However, GitHub immediately faced a counterattack from security researchers who believed that GitHub was monitoring the disclosure of legal security research simply because it affected Microsoft’s products.

In April, GitHub issued a “call for feedback” to the cybersecurity community regarding their policy on malware and vulnerabilities hosted on GitHub.

After more than a month of discussion, GitHub officially announced that it is forbidden to host malware for malicious activities, serve as a command and control server, and repositories created for the distribution of malicious scripts. However, PoC vulnerabilities and malicious software for the purpose of actively sharing new information and security research with the outside world are allowed.

The key changes added to the GitHub guidelines include the following:

We explicitly permit dual-use security technologies and content related to research into vulnerabilities, malware, and exploits. We understand that many security research projects on GitHub are dual-use and broadly beneficial to the security community. We assume positive intention and use of these projects to promote and drive improvements across the ecosystem. This change modifies previously broad language that could be misinterpreted as hostile toward projects with dual-use, clarifying that such projects are welcome.

We have clarified how and when we may disrupt ongoing attacks that are leveraging the GitHub platform as an exploit or malware content delivery network (CDN). We do not allow use of GitHub in direct support of unlawful attacks that cause technical harm, which we’ve further defined as overconsumption of resources, physical damage, downtime, denial of service, or data loss.

We made clear that we have an appeals and reinstatement process directly in this policy. We allow our users to appeal decisions to restrict their content or account access. This is especially important in the security research context, so we’ve very clearly and directly called out the ability for affected users to appeal action taken against their content.

We’ve suggested a means by which parties may resolve disputes prior to escalating and reporting abuse to GitHub. This appears in the form of a recommendation to leverage an optional SECURITY.md file for the project to provide contact information to resolve abuse reports. This encourages members of our community to resolve conflicts directly with project maintainers without requiring formal GitHub abuse reports.

GitHub stated that they will continue to support community feedback on their policies to continue to improve their policies.