Code-hosting platform GitHub Friday officially announced a series of updates to the site’s policies that delve into how the company deals with malware and exploit code uploaded to its service.
“We explicitly permit dual-use security technologies and content related to research into vulnerabilities, malware, and exploits,” the Microsoft-owned company said. “We understand that many security research projects on GitHub are dual-use and broadly beneficial to the security community. We assume positive intention and use of these projects to promote and drive improvements across the ecosystem.”
Stating that it will not allow the use of GitHub in direct support of unlawful attacks or malware campaigns that cause technical harm, the company said it may take steps to disrupt ongoing attacks that leverage the platform as an exploit or a malware content delivery network (CDN).
To that end, users are refrained from uploading, posting, hosting, or transmitting any content that could be used to deliver malicious executables or abuse GitHub as an attack infrastructure, say, by organizing denial-of-service (DoS) attacks or managing command-and-control (C2) servers.
“Technical harms means overconsumption of resources, physical damage, downtime, denial of service, or data loss, with no implicit or explicit dual-use purpose prior to the abuse occurring,” GitHub said.
In scenarios where there is an active, widespread abuse of dual-use content, the company said it might restrict access to such content by putting it behind authentication barriers, and as a “last resort,” disable access or remove it altogether when other restriction measures are not feasible. GitHub also noted that it would contact relevant project owners about the controls put in place where possible.
The changes come into effect after the company, in late April, began soliciting feedback on its policy around security research, malware, and exploits on the platform under a clearer set of terms that would remove the ambiguity surrounding “actively harmful content” and “at-rest code” in support of security research.
By not taking down exploits unless the repository or code in question is incorporated directly into an active campaign, the revision to GitHub’s policies is also a direct result of widespread criticism that followed in the aftermath of a proof-of-concept (PoC) exploit code that was removed from the platform in March 2021.
The code, uploaded by a security researcher, concerned a set of security flaws known as ProxyLogon that Microsoft disclosed were being abused by Chinese state-sponsored hacking groups to breach Exchange servers worldwide. GitHub at the time said it removed the PoC in accordance with its acceptable use policies, citing it included code “for a recently disclosed vulnerability that is being actively exploited.”