GitHub Tightens Rules for Posting Exploits
GitHub has posted changes to the policy regarding the placement of exploits and malware research results, and compliance with the US Digital Millennium Copyright Act (DMCA). The changes are still in the draft state, available for discussion for 30 days.
The following conditions have been added to the DMCA compliance rules, in addition to the previously present prohibition of distribution and ensuring the installation or delivery of active malware and exploits:
- Explicit prohibition of placing technologies in the repository to bypass technical means of copyright protection, including license keys, as well as programs for generating keys, bypassing key verification and extending the free period of work.
- The procedure for filing an application for the removal of such a code is introduced. The applicant for removal is required to provide technical details, with a declared intent to submit the application for examination prior to blocking.
- When blocking a repository, they promise to provide the ability to export issues and PRs, and offer legal services.
The changes to the exploit and malware policy reflect criticism following Microsoft's removal of a prototype Microsoft Exchange exploit used to carry out attacks. The new rules attempt to explicitly separate the dangerous content used to carry out active attacks from the code that accompanies security research. Changes made:
- The section prohibiting "spam", cheating, participation in the cheating market, programs for violating the rules of any sites, phishing and its attempts have been moved above.
- Added a clause explaining the possibility of filing an appeal in case of disagreement with the blocking.
- Added a requirement for owners of repositories that host potentially dangerous content as part of security research. The presence of such content must be explicitly mentioned at the beginning of the README.md file, and contact information must be provided in the SECURITY.md file. It is stated that, in general, GitHub does not remove exploits published along with security studies for already disclosed vulnerabilities (not 0-day), but reserves the ability to restrict access if it considers that there is still a risk of using these exploits for real attacks and into the service GitHub support has received complaints about the use of code for attacks.