Standoff with researchers may emerge as GitHub floats stricter policies

GitHub on Thursday solicited the comments of the security research community on its new, apparently stricter policies for posting malware and proof-of-concept exploits. But the response may have been more than it bargained for.

Some of the changes date back to a month ago when GitHub, which is owned by Microsoft, removed a proof-of-concept exploit for the so-called ProxyLogOn vulnerabilities in Microsoft Exchange that have led to more than 100,000 server infections. There were also other incidents dating back more than a year in which GitHub repositories were found to be infected with malware and capable of being exploited in a supply chain attack.

GitHub, which researchers use as a platform where they can test and experiment, said in a blog post that these updates also focus on removing ambiguity in how the platform will define terms such as “exploit,” “malware,” and “delivery” – the platform’s effort to clearly state its expectations and intentions.

Security researchers expressed skepticism, arguing that if or when software ever gets removed, GitHub would have to outline a very clear-cut and transparent reason; otherwise, users will likely rebel and flee to other platforms, said Sean Nikkel, senior cyber threat intel analyst at Digital Shadows.

Nikkel said some researchers have raised great points with existing off-the-shelf, legitimate tools such as Metasploit or Mimikatz, or other similar software that adversaries frequently abuse.

“Are these now also illegitimate? While starting the public discussion is a significant step, transparency around the end goal and the future will need to be spelled out clearly to GitHub users,” Nikkel said. “Suppose GitHub does end up taking stronger steps towards locking down what’s acceptable on the platform. In that case, the conditions of what they understand as an actual attack or threat would also need to be spelled out fairly clearly, and in terms…