GitHub to prohibit code that’s used in active attacks

The coding repository updates its policies to tighten up security in light of concerns it might be exploited

GitHub has instigated a series of updates to its policies to reduce the potential for hackers to abuse the platform, which includes blocking any code that's used in ongoing attacks.

Revisions to the open source platform's policies on security research, malware and exploits are to ensure the platform remains open to security researchers while maintaining enough safeguards to ensure that GitHub isn't abused. 

As part of the changes, GitHub has stressed it's explicitly allowing dual-use security technologies and content related to security research, in that details around exploit mechanisms are published with positive intentions. The platform will, however, take action against any projects that may lead to causing harm to others. 

"We understand that many security research projects on GitHub are dual-use and broadly beneficial to the security community," said GitHub's chief security officer, Mike Hanley. "We assume positive intention and use of these projects to promote and drive improvements across the ecosystem.

"We do not allow use of GitHub in direct support of unlawful attacks that cause technical harm, which we've further defined as overconsumption of resources, physical damage, downtime, denial of service, or data loss."

The nature of open source means developers are generally free to upload their own code or projects and contribute to the work of others, with GitHub serving as a key platform for allowing that collaboration. 

Users are prohibited, however, from uploading or sharing any content through the platform which can be used to deliver malicious files, or from manipulating GitHub in such a way that it can serve as C&C infrastructure. 

Where there's widespread abuse of dual-use security content, GitHub's policies suggest that moderators will restrict access to that content in order to disrupt ongoing attacks or malware campaigns. In most instances, content will be placed behind an authentication barrier, but as a last resort, the platform may even disable access or fully remove projects. 

The site has also established an appeals process for repository owners who feel their content has been restricted unfairly. 

Because GitHub is an open platform, anchored in the open source ethos, many have raised concerns through the years that hackers and cyber crime gangs have taken advantage of these principles to expand their activities. 

Related Resource

A guide to enterprise detection and response providers

The 12 providers that matter most and how they stack up

Forrester enterprise detection WPDownload now

For example, Avast researchers identified several instances of hackers uploading cryptocurrency mining malware onto GitHub in 2018 by "forking" other people's legitimate projects, and adding malicious code to the repository.

Last year, meanwhile, several GitHub projects related to the NetBeans Java software were infected with malware known as Octopus Scanner that carved backdoors and infected files with a payload

GitHub's policy changes come several weeks after the platform announced it wanted to consult with developers over how best to tighten up the general security of the ecosystem while preserving the integrity of security research. 

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

17 Sep 2021
London ranks second to Silicon Valley as world's best startup hub
startups

London ranks second to Silicon Valley as world's best startup hub

22 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021