[BreachExchange] GitHub Updated Policies For Actively Used Exploits, Malware & Vulnerability Research

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Tue Jun 8 13:05:17 EDT 2021 

https://gbhackers.com/github-policies-policies/

A set of all-new updates were being released by GitHub on Friday, all the
updates pronounce that how the company will deal with all kinds of exploits
and malware samples that are hosted on their service.

GitHub is one of the famous internet hosting providers (hosting for
software development and version control). According to the experts, all
these updates were quite necessary as nowadays malware attacks are
increasing rapidly.

After the release of the new updates, the security researcher Nguyen Jang
got an email from Microsoft that is owned by GitHub. The email states that
the proof-of-concept(PoC) exploit has been detached as it breaches the
Acceptable Use Policies.

Soon after that, in a report, GitHub asserted that they have taken down the
PoC, as they want to defend Microsoft Exchange servers because recently
these servers were being deliberately exploited when the vulnerability was
being used.

Apart from all these the experts also affirmed that these new updates will
not allow the use of GitHub in support of all illegitimate attacks or any
other malware campaigns, as it generally causes technical harm.

Updated guidelines

With policy updates, GitHub also declared that the uploading of PoC
exploits and malware are authorized if they have a dual-user purpose.

Everyone prefers dual-use content, as it means that it can be used for all
kinds of positive sharing of new data, and at the same time it can also be
utilized for malicious purposes.

However, GitHub has added some key changes in their new updated guidelines,
and here we have mentioned them below:-


   - We explicitly permit dual-use security technologies and content
   related to research into vulnerabilities, malware, and exploits. Everybody
   knows that there is a lot of security research that has dual-use in GitHub
   and has benefited the security community in many ways.
   - We have clarified how and when we may disrupt ongoing attacks that are
   leveraging the GitHub platform as an exploit or malware content delivery
   network (CDN). The experts state that GitHub is not being used directly for
   malicious attacks, as it causes physical damage, overconsumption of
   resources, and many more.
   - We made clear that we have an appeal and reinstatement process
   directly in this policy. GitHub always allows each and every user to tempt
   their own decisions, as it restricts access to content or accounts of the
   users.
   - We’ve suggested a means by which parties may resolve disputes prior to
   escalating and reporting abuse to GitHub. The main motive of these updates
   is to encourage each and every member of the community to solve the
   conflicts directly with project maintainers.

All these changes were made with the goal to allow, welcome, and encourage
dual-use security research and collaboration on GitHub.

Not only this, but GitHub also pronounced that to keep improving its
policies from time to time it will keep supporting the community feedback
regarding its policies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210608/57d0e343/attachment.html>

More information about the BreachExchange mailing list