Coding platforms explicitly permits proof of concept exploits
GitHub has updated its policy on malware and exploit research to make the platform more accommodating to vulnerability hunters.
The policy changes mean that dual-use security research and collaboration on GitHub is explicitly permitted.
GitHub has retained the ability to disrupt any attempts to abuse its platform in active exploit or malware delivery campaigns.
What this means in practice is that posting proof of concept exploits or vulnerabilities will be permitted and even encouraged by GitHub, but that this permission will be pulled in the event of any malfeasance.
If code hosted on GitHub causes downtime, denial of service, or data loss then the offending code will be pulled. The same policy will apply to any active malware slinging or exploit abusing campaign.
GitHub has introduced an appeals and reinstatement process to handle any disputes. The coders hangout wants security researchers to include their contact information in the optional SECURITY.md file so that concerned parties can attempt to resolve disputes prior to escalating and reporting any suspected abuse to GitHub.
GitHub’s policy changes, announced on Friday, follow weeks of consultations with the community, launched in April.
Ray Walsh, a digital privacy expert at ProPrivacy, told The Daily Swig that GitHub's policy update on exploits, malware, and vulnerability research is "intended to clarify existing policies rather than to introduce new ones".
"The community informed policy changes help to do away with gray areas and confusion surrounding the hosting of code that might have previously been considered infringing," Walsh explained.
"GitHub has now further clarified that 'dual use' technologies instrumental to security practices, such as penetration testing, are considered crucial enough to be hosted on the platform."
Walsh concluded: "Open-source tools that can potentially be leveraged for nefarious purposes often have valid use cases, and it is great to see GitHub working with the community to clarify why and when code can be hosted – and how appeals can be made if content believed to have beneficial applications has been unnecessarily or unfairly restricted."