Updated GitHub policies vow to eliminate exploitative code to protect against attacks

Get a free Techzine subscription!

GitHub, the open-source platform for developers, has officially stated that they are updating their site’s policies regarding exploit code and malware uploaded onto the platform\

Details about the updated policies

GitHub has stated that they will not allow their platform to be used in direct support of malware campaigns or unlawful attacks that may cause technical harm. The company has also said that they are taking steps to dislocate ongoing attacks using their platform as a malware or exploit content delivery network (CDN).

GitHub users are not refraining from posting, transmitting, posting, or uploading any content that can count as malware.

The company clearly stated that technical harm includes overconsumption of resources, physical destruction, downtime, denial of service, or data loss, without any purpose.

When and how?

GitHub will enforce its policies when there is widespread and active abuse of dual-use content, in which case they may have to restrict access to that content by using authentication barriers, which will act as a “last resort.” They may also remove the content altogether or entirely disable access if other restriction measures cannot be applied.

The company also stated that they would contact the project owners related to the content and inform them about the controls that have been put into place.

Why are they making these changes?

After GitHub began, these changes came into effect at the end of April 2021, soliciting feedback regarding its policy about security exploits, malware, and security research on the platform. Their goal was to operate under more explicit terms to remove the ambiguity surrounding the terms “at-rest code” and “actively harmful content” to support security research.

GitHub also revised its policies due to the widespread criticism it received in March 2021 after a PoC (proof-of-concept) exploit code being removed from its platform. They will now not take down exploits unless the code or repository in question has been directly incorporated into an active campaign.