In the latest developments, GitHub has formally announced a range of updates in their policies that regulates and handles the exploit codes and malware that get posted on the platform.
GitHub taking measures against abuse of platform:
The code-hosting Platform noted that they categorically allow dual-use technologies and research related to malware, exploits, and vulnerabilities on their platform. “We understand that many security research projects on GitHub are dual-use and broadly beneficial to the security community. We assume positive intention and use of these projects to promote and drive improvements across the ecosystem.” provided GitHub.
The code repository platform also stated that they might take additional measures to obstruct ongoing cyber activities and attack that mal-utilize the GitHub platform as a malware content delivery network (CDN).
To meet the required prevention measures, GitHub users are prohibited from uploading, posting, or transmitting any type of content that might be cyber-critical or malicious.
This type of content can be mal-utilized to deliver or deploy malicious executables or abuse the code hosting platform, adding an attack infrastructure by coordinating DoS attacks to manage command-to-control (C2) servers.
“Technical harm means overconsumption of resources, physical damage, downtime, denial of service, or data loss, with no implicit or explicit dual-use purpose prior to the abuse occurring,” GitHub said.
GitHub statements for newer policies:
- We explicitly permit dual-use security technologies and content related to research into vulnerabilities, malware, and exploits. We understand that many security research projects on GitHub are dual-use and broadly beneficial to the security community. We assume positive intention and use of these projects to promote and drive improvements across the ecosystem. This change modifies previously broad language that could be misinterpreted as hostile toward projects with dual-use, clarifying that such projects are welcome.
- We have clarified how and when we may disrupt ongoing attacks that are leveraging the GitHub platform as an exploit or malware content delivery network (CDN). We do not allow use of GitHub in direct support of unlawful attacks that cause technical harm, which we’ve further defined as overconsumption of resources, physical damage, downtime, denial of service, or data loss.
- We made clear that we have an appeals and reinstatement process directly in this policy. We allow our users to appeal decisions to restrict their content or account access. This is especially important in the security research context, so we’ve very clearly and directly called out the ability for affected users to appeal action taken against their content.
- We’ve suggested a means by which parties may resolve disputes prior to escalating and reporting abuse to GitHub. This appears in the form of a recommendation to leverage an optional SECURITY.md file for the project to provide contact information to resolve abuse reports. This encourages members of our community to resolve conflicts directly with project maintainers without requiring formal GitHub abuse reports.
Measures following criticism for removal of important PoC:
GitHub says that in a case where there is an active abuse of dual-use content, they might also abstain access to such content by placing it behind authentication walls while in extreme cases, disable access or remove it altogether.
The newest, stricter policies of the GitHub platform come after the widespread criticism that the platform faced when a proof-of-concept (PoC) exploit code was removed from the platform in March 2021.
The code, uploaded by a security researcher, included a set of security flaws known as ProxyLogon that Microsoft disclosed were being abused by Chinese state-sponsored hacking groups to breach Exchange servers worldwide.
GitHub at the time said it removed the PoC in accordance with its acceptable use policies, citing it included code “for a recently disclosed vulnerability that is being actively exploited.”