From f220679709b60dd4d6b34465a56b89bb79efcfe6 Mon Sep 17 00:00:00 2001 From: Abby Vollmer Date: Thu, 29 Apr 2021 09:52:42 -0700 Subject: [PATCH 01/11] Update github-acceptable-use-policies.md --- Policies/github-acceptable-use-policies.md | 36 +++++++++++----------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/Policies/github-acceptable-use-policies.md b/Policies/github-acceptable-use-policies.md index ff37a78d..5208bfd4 100644 --- a/Policies/github-acceptable-use-policies.md +++ b/Policies/github-acceptable-use-policies.md @@ -17,7 +17,7 @@ Capitalized terms used but not defined in these Acceptable Use Policies have the You are responsible for using the Service in compliance with all applicable laws, regulations, and all of our Acceptable Use Policies. These policies may be updated from time to time and are provided below, as well as in our [Terms of Service](/articles/github-terms-of-service) and [Corporate Terms of Service](/articles/github-corporate-terms-of-service). ### 2. Content Restrictions -Under no circumstances will Users upload, post, host, execute, or transmit any Content to any repositories that: +Under no circumstances will Users upload, post, host, execute, or transmit any Content that: - is unlawful or promotes unlawful activities; @@ -31,7 +31,7 @@ Under no circumstances will Users upload, post, host, execute, or transmit any C - is or contains false, inaccurate, or intentionally deceptive information that is likely to adversely affect the public interest (including health, safety, election integrity, and civic participation); -- contains or installs any active malware or exploits, or uses our platform for exploit delivery (such as part of a command and control system); or +- contains or installs malware or exploits that are in support of ongoing and active attacks that are causing harm; or - infringes any proprietary right of any party, including patent, trademark, trade secret, copyright, right of publicity, or other right. @@ -50,10 +50,21 @@ While using the Service, under no circumstances will you: - violate the privacy of any third party, such as by posting another person's personal information without consent. -### 4. Services Usage Limits +### 4. Spam and Inauthentic Activity on GitHub +Automated excessive bulk activity and coordinated inauthentic activity, such as spamming, are prohibited on GitHub. Prohibited activities include: +* bulk distribution of promotions and advertising prohibited by GitHub terms and policies +* inauthentic interactions, such as fake accounts and automated inauthentic activity +* rank abuse, such as automated starring or following +* creation of or participation in secondary markets for the purpose of the proliferation of inauthentic activity +* using GitHub as a platform for propagating abuse on other platforms +* phishing or attempted phishing + +GitHub reserves the right to remove any Content in violation of this policy. + +### 5. Services Usage Limits You will not reproduce, duplicate, copy, sell, resell or exploit any portion of the Service, use of the Service, or access to the Service without our express written permission. -### 5. Information Usage Restrictions +### 6. Information Usage Restrictions You may use information from our Service for the following reasons, regardless of whether the information was scraped, collected through our API, or obtained otherwise: - Researchers may use public, non-personal information from the Service for research purposes, only if any publications resulting from that research are [open access](https://en.wikipedia.org/wiki/Open_access). @@ -65,15 +76,15 @@ You may not use information from the Service (whether scraped, collected through Your use of information from the Service must comply with the [GitHub Privacy Statement](/github/site-policy/github-privacy-statement). -### 6. Privacy +### 7. Privacy Misuse of User Personal Information is prohibited. Any person, entity, or service collecting data from the Service must comply with the [GitHub Privacy Statement](/articles/github-privacy-statement), particularly in regards to the collection of User Personal Information. If you collect any User Personal Information from the Service, you agree that you will only use that User Personal Information for the purpose for which that User has authorized it. You agree that you will reasonably secure any User Personal Information you have gathered from the Service, and you will respond promptly to complaints, removal requests, and "do not contact" requests from us or other users. -### 7. Excessive Bandwidth Use +### 8. Excessive Bandwidth Use The Service's bandwidth limitations vary based on the features you use. If we determine your bandwidth usage to be significantly excessive in relation to other users of similar features, we reserve the right to suspend your Account, throttle your file hosting, or otherwise limit your activity until you can reduce your bandwidth consumption. We also reserve the right—after providing advance notice—to delete repositories that we determine to be placing undue strain on our infrastructure. For guidance on acceptable use of object storage in repositories, refer to "[What is my disk quota?](/github/managing-large-files/what-is-my-disk-quota)". For more details on specific features' bandwidth limitations, see the [GitHub Additional Product Terms](/github/site-policy/github-additional-product-terms). -### 8. Advertising on GitHub +### 9. Advertising on GitHub **Short version:** *We do not generally prohibit use of GitHub for advertising. However, we expect our users to follow certain limitations, so GitHub does not become a spam haven. No one wants that.* While we understand that you may want to promote your Content by posting supporters' names or logos in your Account, the primary focus of the Content posted in or through your Account to the Service should not be advertising or promotional marketing. This includes Content posted in or through Pages, Packages, repositories, and all other parts of the Service. You may include static images, links, and promotional text in the README documents or project description sections associated with your Account, but they must be related to the project you are hosting on GitHub. You may not advertise in other Users' Accounts, such as by posting monetized or excessive bulk content in issues. @@ -82,16 +93,5 @@ You may not promote or distribute content or activity that is illegal or otherwi If you decide to post any promotional materials in your Account, you are solely responsible for complying with all applicable laws and regulations, including without limitation the U.S. Federal Trade Commission's Guidelines on Endorsements and Testimonials. We reserve the right to remove any promotional materials or advertisements that, in our sole discretion, violate any GitHub terms or policies. -### 9. Spam and Inauthentic Activity on GitHub -Automated excessive bulk activity and coordinated inauthentic activity, such as spamming, are prohibited on GitHub. Prohibited activities include: -* bulk distribution of promotions and advertising prohibited by GitHub terms and policies -* inauthentic interactions, such as fake accounts and automated inauthentic activity -* rank abuse, such as automated starring or following -* creation of or participation in secondary markets for the purpose of the proliferation of inauthentic activity -* using GitHub as a platform for propagating abuse on other platforms -* phishing or attempted phishing - -GitHub reserves the right to remove any Content in violation of this policy. - ### 10. User Protection You must not engage in activity that significantly harms other users. We will resolve disputes in favor of protecting users as a whole. From dc55f21085424dcb58a8c6dbd24feb551d38bc63 Mon Sep 17 00:00:00 2001 From: Abby Vollmer Date: Thu, 29 Apr 2021 09:53:31 -0700 Subject: [PATCH 02/11] Update github-community-guidelines.md --- Policies/github-community-guidelines.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/Policies/github-community-guidelines.md b/Policies/github-community-guidelines.md index 29faa59f..9dfc950a 100644 --- a/Policies/github-community-guidelines.md +++ b/Policies/github-community-guidelines.md @@ -79,7 +79,16 @@ We are committed to maintaining a community where users are free to express them You may not post content that presents a distorted view of reality, whether it is inaccurate or false (misinformation) or is intentionally deceptive (disinformation) where such content is likely to result in harm to the public or to interfere with fair and equal opportunities for all to participate in public life. For example, we do not allow content that may put the well-being of groups of people at risk or limit their ability to take part in a free and open society. We encourage active participation in the expression of ideas, perspectives, and experiences and may not be in a position to dispute personal accounts or observations. We generally allow parody and satire that is in line with our Acceptable Use Polices, and we consider context to be important in how information is received and understood; therefore, it may be appropriate to clarify your intentions via disclaimers or other means, as well as the source(s) of your information. - #### Active malware or exploits - Being part of a community includes not taking advantage of other members of the community. We do not allow anyone to use our platform for exploit delivery, such as using GitHub as a means to deliver malicious executables, or as attack infrastructure, for example by organizing denial of service attacks or managing command and control servers. Note, however, that we do not prohibit the posting of source code which could be used to develop malware or exploits, as the publication and distribution of such source code has educational value and provides a net benefit to the security community. + Being part of a community includes not taking advantage of other members of the community. We do not allow anyone to use our platform in support of active attacks that cause harm, such as using GitHub as a means to deliver malicious executables, or as attack infrastructure, for example by organizing denial of service attacks or managing command and control servers. + + Note, however, that GitHub supports the posting of content which is used for research into vulnerabilities, malware or exploits, as the publication and distribution of such content has educational value and provides a net benefit to the security community. We ask that repository owners take the following steps when posting potentially harmful content for the purposes of security research: + + * Clearly identify and describe any potentially harmful content in a disclaimer in the project’s README.md file. + * Provide a designated security contact through a SECURITY.md file in the repository. + + Please also note, GitHub will generally not remove exploits in support of vulnerability reporting or security research into known vulnerabilities. However, GitHub may restrict content if we determine that it still poses a risk where we receive active abuse reports and maintainers are working toward resolution. + + *GitHub considers the npm registry to be a platform used primarily for installation and run-time use of code, and not for research.* ### What happens if someone breaks the rules? @@ -95,6 +104,10 @@ Actions we may take in response to an abuse report include but are not limited t * Account Suspension * Account Termination +### Appeal and Reinstatement + +In some cases there may be a basis to reverse an action, for example, based on additional information a user provided, or where a user has addressed the violation and agreed to abide by our Acceptable Use Policies moving forward. If you wish to appeal an enforcement action, please contact [support](https://support.github.com/contact). + ### Legal Notices We dedicate these Community Guidelines to the public domain for anyone to use, reuse, adapt, or whatever, under the terms of [CC0-1.0](https://creativecommons.org/publicdomain/zero/1.0/). From e3280345b36bb73611dc57ad7cc7834f436f9f67 Mon Sep 17 00:00:00 2001 From: Abby Vollmer Date: Thu, 29 Apr 2021 09:57:33 -0700 Subject: [PATCH 03/11] Update github-community-guidelines.md From e31711b26c9b192a9ab736f541c517f429aa93f3 Mon Sep 17 00:00:00 2001 From: Abby Vollmer Date: Mon, 3 May 2021 20:18:16 -0700 Subject: [PATCH 04/11] move "Spam and Inauthentic Activity" section back to where it was --- Policies/github-acceptable-use-policies.md | 32 +++++++++++----------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/Policies/github-acceptable-use-policies.md b/Policies/github-acceptable-use-policies.md index 5208bfd4..5bd81257 100644 --- a/Policies/github-acceptable-use-policies.md +++ b/Policies/github-acceptable-use-policies.md @@ -50,21 +50,10 @@ While using the Service, under no circumstances will you: - violate the privacy of any third party, such as by posting another person's personal information without consent. -### 4. Spam and Inauthentic Activity on GitHub -Automated excessive bulk activity and coordinated inauthentic activity, such as spamming, are prohibited on GitHub. Prohibited activities include: -* bulk distribution of promotions and advertising prohibited by GitHub terms and policies -* inauthentic interactions, such as fake accounts and automated inauthentic activity -* rank abuse, such as automated starring or following -* creation of or participation in secondary markets for the purpose of the proliferation of inauthentic activity -* using GitHub as a platform for propagating abuse on other platforms -* phishing or attempted phishing - -GitHub reserves the right to remove any Content in violation of this policy. - -### 5. Services Usage Limits +### 4. Services Usage Limits You will not reproduce, duplicate, copy, sell, resell or exploit any portion of the Service, use of the Service, or access to the Service without our express written permission. -### 6. Information Usage Restrictions +### 5. Information Usage Restrictions You may use information from our Service for the following reasons, regardless of whether the information was scraped, collected through our API, or obtained otherwise: - Researchers may use public, non-personal information from the Service for research purposes, only if any publications resulting from that research are [open access](https://en.wikipedia.org/wiki/Open_access). @@ -76,15 +65,15 @@ You may not use information from the Service (whether scraped, collected through Your use of information from the Service must comply with the [GitHub Privacy Statement](/github/site-policy/github-privacy-statement). -### 7. Privacy +### 6. Privacy Misuse of User Personal Information is prohibited. Any person, entity, or service collecting data from the Service must comply with the [GitHub Privacy Statement](/articles/github-privacy-statement), particularly in regards to the collection of User Personal Information. If you collect any User Personal Information from the Service, you agree that you will only use that User Personal Information for the purpose for which that User has authorized it. You agree that you will reasonably secure any User Personal Information you have gathered from the Service, and you will respond promptly to complaints, removal requests, and "do not contact" requests from us or other users. -### 8. Excessive Bandwidth Use +### 7. Excessive Bandwidth Use The Service's bandwidth limitations vary based on the features you use. If we determine your bandwidth usage to be significantly excessive in relation to other users of similar features, we reserve the right to suspend your Account, throttle your file hosting, or otherwise limit your activity until you can reduce your bandwidth consumption. We also reserve the right—after providing advance notice—to delete repositories that we determine to be placing undue strain on our infrastructure. For guidance on acceptable use of object storage in repositories, refer to "[What is my disk quota?](/github/managing-large-files/what-is-my-disk-quota)". For more details on specific features' bandwidth limitations, see the [GitHub Additional Product Terms](/github/site-policy/github-additional-product-terms). -### 9. Advertising on GitHub +### 8. Advertising on GitHub **Short version:** *We do not generally prohibit use of GitHub for advertising. However, we expect our users to follow certain limitations, so GitHub does not become a spam haven. No one wants that.* While we understand that you may want to promote your Content by posting supporters' names or logos in your Account, the primary focus of the Content posted in or through your Account to the Service should not be advertising or promotional marketing. This includes Content posted in or through Pages, Packages, repositories, and all other parts of the Service. You may include static images, links, and promotional text in the README documents or project description sections associated with your Account, but they must be related to the project you are hosting on GitHub. You may not advertise in other Users' Accounts, such as by posting monetized or excessive bulk content in issues. @@ -93,5 +82,16 @@ You may not promote or distribute content or activity that is illegal or otherwi If you decide to post any promotional materials in your Account, you are solely responsible for complying with all applicable laws and regulations, including without limitation the U.S. Federal Trade Commission's Guidelines on Endorsements and Testimonials. We reserve the right to remove any promotional materials or advertisements that, in our sole discretion, violate any GitHub terms or policies. +### 9. Spam and Inauthentic Activity on GitHub +Automated excessive bulk activity and coordinated inauthentic activity, such as spamming, are prohibited on GitHub. Prohibited activities include: +* bulk distribution of promotions and advertising prohibited by GitHub terms and policies +* inauthentic interactions, such as fake accounts and automated inauthentic activity +* rank abuse, such as automated starring or following +* creation of or participation in secondary markets for the purpose of the proliferation of inauthentic activity +* using GitHub as a platform for propagating abuse on other platforms +* phishing or attempted phishing + +GitHub reserves the right to remove any Content in violation of this policy. + ### 10. User Protection You must not engage in activity that significantly harms other users. We will resolve disputes in favor of protecting users as a whole. From 65cd59238d8e3dcaa3ac37185c8c5384ef67d05e Mon Sep 17 00:00:00 2001 From: Abby Vollmer Date: Mon, 3 May 2021 20:31:49 -0700 Subject: [PATCH 05/11] Update github-acceptable-use-policies.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit **tl;dr: here's our take on a first iteration of changes based on your feedback, key takeaways:** - **dual use security research content remains explicitly welcome on GitHub** - **by “harm” we mean “causing technical harms, such as overconsumption of resources, physical damage, downtime, denial of service, or data loss”** - **we removed any disclosure methodology bias based on status of vulnerability knowledge** - **we clarified what we mean by “restriction” (authentication-based where possible) and under which circumstances it might apply** - **we clarified the intent of our security contact recommendation and made it more flexible** **:eyes: at the [changes](https://github.com/github/site-policy/pull/397/files) and read below for more details** With these updates, we want to reiterate that this effort and conversation is an attempt to narrow restrictions in our existing policies which we felt were too broad in scope, and to explicitly allow dual use software to exist on the platform. We feel it is crucial to the future of software security that developers and security researchers are able to collaborate freely on our platform. With such explicit allowances comes a need to capture those corner cases where we need to be able to respond to platform abuse. Specifically, these are the cases where GitHub, the platform, is abused to deliver malware and exploits into victim infrastructure. The challenge is to broadly welcome dual use security research content on GitHub, but also make it explicit that using GitHub as a malware or exploit CDN in support of unlawful activity is not allowed. Our intent is to capture this by tying incident response to specific abuse reports we receive from others. We do not want to restrict or qualify dual use security research content, but rather whether or not something is being hosted on the platform with the purpose of facilitating unlawful activity. The actionable difference would be a project whose majority interactions are from victim infrastructure as evidenced by abuse reports. This requires clear, actionable language that guides our incident response teams, but that is also sufficiently narrow in scope so that we err on the side of open and free research and development. Any action we take should only affect a specific instance of a project tied to a specific abuse, in collaboration with the project owner where possible (i.e. when we are able to establish contact), and with the lightest touch required to halt the abuse (e.g. by making the content accessible only to authenticated users in the case of automated malware CDN abuse). We understand that GitHub is not going to solve decades of passionate debate on the subject of dual use security research, but we felt it was time to have this conversation and reaffirm that security research has a stable home on GitHub. We look forward to your continued contributions and comments as we continue to iterate based on your feedback. If the community strongly prefers to leave our [AUP and CG](https://docs.github.com/en/github/site-policy/github-community-guidelines) as it currently exists in place, we are also open to that feedback. --- Policies/github-acceptable-use-policies.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Policies/github-acceptable-use-policies.md b/Policies/github-acceptable-use-policies.md index 5bd81257..0916a173 100644 --- a/Policies/github-acceptable-use-policies.md +++ b/Policies/github-acceptable-use-policies.md @@ -31,10 +31,12 @@ Under no circumstances will Users upload, post, host, execute, or transmit any C - is or contains false, inaccurate, or intentionally deceptive information that is likely to adversely affect the public interest (including health, safety, election integrity, and civic participation); -- contains or installs malware or exploits that are in support of ongoing and active attacks that are causing harm; or +- directly supports unlawful active attack or malware campaigns that are causing technical harms such as overconsumption of resources, physical damage, downtime, denial of service, or data loss, with no implicit or explicit dual-use purpose prior to the abuse occurring; or - infringes any proprietary right of any party, including patent, trademark, trade secret, copyright, right of publicity, or other right. +Please see our [Community Guidelines](/github/site-policy/github-community-guidelines#what-is-not-allowed) for more details. + ### 3. Conduct Restrictions While using the Service, under no circumstances will you: From 21ca446b33c747ef4078e6df38053f72c6306034 Mon Sep 17 00:00:00 2001 From: Abby Vollmer Date: Mon, 3 May 2021 20:36:32 -0700 Subject: [PATCH 06/11] Update github-community-guidelines.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit **tl;dr: here's our take on a first iteration of changes based on your feedback, key takeaways:** - **dual use security research content remains explicitly welcome on GitHub** - **by “harm” we mean “causing technical harms, such as overconsumption of resources, physical damage, downtime, denial of service, or data loss”** - **we removed any disclosure methodology bias based on status of vulnerability knowledge** - **we clarified what we mean by “restriction” (authentication-based where possible) and under which circumstances it might apply** - **we clarified the intent of our security contact recommendation and made it more flexible** **:eyes: at the [changes](https://github.com/github/site-policy/pull/397/files) and read below for more details** With these updates, we want to reiterate that this effort and conversation is an attempt to narrow restrictions in our existing policies which we felt were too broad in scope, and to explicitly allow dual use software to exist on the platform. We feel it is crucial to the future of software security that developers and security researchers are able to collaborate freely on our platform. With such explicit allowances comes a need to capture those corner cases where we need to be able to respond to platform abuse. Specifically, these are the cases where GitHub, the platform, is abused to deliver malware and exploits into victim infrastructure. The challenge is to broadly welcome dual use security research content on GitHub, but also make it explicit that using GitHub as a malware or exploit CDN in support of unlawful activity is not allowed. Our intent is to capture this by tying incident response to specific abuse reports we receive from others. We do not want to restrict or qualify dual use security research content, but rather whether or not something is being hosted on the platform with the purpose of facilitating unlawful activity. The actionable difference would be a project whose majority interactions are from victim infrastructure as evidenced by abuse reports. This requires clear, actionable language that guides our incident response teams, but that is also sufficiently narrow in scope so that we err on the side of open and free research and development. Any action we take should only affect a specific instance of a project tied to a specific abuse, in collaboration with the project owner where possible (i.e. when we are able to establish contact), and with the lightest touch required to halt the abuse (e.g. by making the content accessible only to authenticated users in the case of automated malware CDN abuse). We understand that GitHub is not going to solve decades of passionate debate on the subject of dual use security research, but we felt it was time to have this conversation and reaffirm that security research has a stable home on GitHub. --- title: GitHub Community Guidelines redirect_from: - /community-guidelines/ - /articles/github-community-guidelines versions: free-pro-team: '*' topics: - policy - legal --- Millions of developers host millions of projects on GitHub — both open and closed source — and we're honored to play a part in enabling collaboration across the community every day. Together, we all have an exciting opportunity and responsibility to make this a community we can be proud of. GitHub users worldwide bring wildly different perspectives, ideas, and experiences, and range from people who created their first "Hello World" project last week to the most well-known software developers in the world. We are committed to making GitHub a welcoming environment for all the different voices and perspectives in our community, while maintaining a space where people are free to express themselves. We rely on our community members to communicate expectations, [moderate](#what-if-something-or-someone-offends-you) their projects, and {% data variables.contact.report_abuse %} or {% data variables.contact.report_content %}. By outlining what we expect to see within our community, we hope to help you understand how best to collaborate on GitHub, and what type of actions or content may violate our [Terms of Service](#legal-notices), which include our [Acceptable Use Policies](/github/site-policy/github-acceptable-use-policies). We will investigate any abuse reports and may moderate public content on our site that we determine to be in violation of our Terms of Service. ### Building a strong community The primary purpose of the GitHub community is to collaborate on software projects. We want people to work better together. Although we maintain the site, this is a community we build *together*, and we need your help to make it the best it can be. * **Be welcoming and open-minded** - Other collaborators may not have the same experience level or background as you, but that doesn't mean they don't have good ideas to contribute. We encourage you to be welcoming to new collaborators and those just getting started. * **Respect each other.** Nothing sabotages healthy conversation like rudeness. Be civil and professional, and don’t post anything that a reasonable person would consider offensive, abusive, or hate speech. Don’t harass or grief anyone. Treat each other with dignity and consideration in all interactions. You may wish to respond to something by disagreeing with it. That’s fine. But remember to criticize ideas, not people. Avoid name-calling, ad hominem attacks, responding to a post’s tone instead of its actual content, and knee-jerk contradiction. Instead, provide reasoned counter-arguments that improve the conversation. * **Communicate with empathy** - Disagreements or differences of opinion are a fact of life. Being part of a community means interacting with people from a variety of backgrounds and perspectives, many of which may not be your own. If you disagree with someone, try to understand and share their feelings before you address them. This will promote a respectful and friendly atmosphere where people feel comfortable asking questions, participating in discussions, and making contributions. * **Be clear and stay on topic** - People use GitHub to get work done and to be more productive. Off-topic comments are a distraction (sometimes welcome, but usually not) from getting work done and being productive. Staying on topic helps produce positive and productive discussions. Additionally, communicating with strangers on the Internet can be awkward. It's hard to convey or read tone, and sarcasm is frequently misunderstood. Try to use clear language, and think about how it will be received by the other person. ### What if something or someone offends you? We rely on the community to let us know when an issue needs to be addressed. We do not actively monitor the site for offensive content. If you run into something or someone on the site that you find objectionable, here are some tools GitHub provides to help you take action immediately: * **Communicate expectations** - If you participate in a community that has not set their own, community-specific guidelines, encourage them to do so either in the README or [CONTRIBUTING file](/articles/setting-guidelines-for-repository-contributors/), or in [a dedicated code of conduct](/articles/adding-a-code-of-conduct-to-your-project/), by submitting a pull request. * **Moderate Comments** - If you have [write-access privileges](/articles/repository-permission-levels-for-an-organization/) for a repository, you can edit, delete, or hide anyone's comments on commits, pull requests, and issues. Anyone with read access to a repository can view a comment's edit history. Comment authors and people with write access to a repository can delete sensitive information from a comment's edit history. For more information, see "[Tracking changes in a comment](/articles/tracking-changes-in-a-comment)" and "[Managing disruptive comments](/articles/managing-disruptive-comments)." * **Lock Conversations**  - If a discussion in an issue or pull request gets out of control, you can [lock the conversation](/articles/locking-conversations/). * **Block Users**  - If you encounter a user who continues to demonstrate poor behavior, you can [block the user from your personal account](/articles/blocking-a-user-from-your-personal-account/) or [block the user from your organization](/articles/blocking-a-user-from-your-organization/). Of course, you can always contact us to {% data variables.contact.report_abuse %} if you need more help dealing with a situation. ### What is not allowed? We are committed to maintaining a community where users are free to express themselves and challenge one another's ideas, both technical and otherwise. Such discussions, however, are unlikely to foster fruitful dialog when ideas are silenced because community members are being shouted down or are afraid to speak up. That means you should be respectful and civil at all times, and refrain from attacking others on the basis of who they are. We do not tolerate behavior that crosses the line into the following: - #### Threats of violence You may not threaten violence towards others or use the site to organize, promote, or incite acts of real-world violence or terrorism. Think carefully about the words you use, the images you post, and even the software you write, and how they may be interpreted by others. Even if you mean something as a joke, it might not be received that way. If you think that someone else *might* interpret the content you post as a threat, or as promoting violence or terrorism, stop. Don't post it on GitHub. In extraordinary cases, we may report threats of violence to law enforcement if we think there may be a genuine risk of physical harm or a threat to public safety. - #### Hate speech and discrimination While it is not forbidden to broach topics such as age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation, we do not tolerate speech that attacks a person or group of people on the basis of who they are. Just realize that when approached in an aggressive or insulting manner, these (and other) sensitive topics can make others feel unwelcome, or perhaps even unsafe. While there's always the potential for misunderstandings, we expect our community members to remain respectful and civil when discussing sensitive topics. - #### Bullying and harassment We do not tolerate bullying or harassment. This means any habitual badgering or intimidation targeted at a specific person or group of people. In general, if your actions are unwanted and you continue to engage in them, there's a good chance you are headed into bullying or harassment territory. - #### Disrupting the experience of other users Being part of a community includes recognizing how your behavior affects others and engaging in meaningful and productive interactions with people and the platform they rely on. Behaviors such as repeatedly posting off-topic comments, opening empty or meaningless issues or pull requests, or using any other platform feature in a way that continually disrupts the experience of other users are not allowed. While we encourage maintainers to moderate their own projects on an individual basis, GitHub staff may take further restrictive action against accounts that are engaging in these types of behaviors. - #### Impersonation You may not seek to mislead others as to your identity by copying another person's avatar, posting content under their email address, using a similar username or otherwise posing as someone else. Impersonation is a form of harassment. - #### Doxxing and invasion of privacy Don't post other people's personal information, such as personal, private email addresses, phone numbers, physical addresses, credit card numbers, Social Security/National Identity numbers, or passwords. Depending on the context, such as in the case of intimidation or harassment, we may consider other information, such as photos or videos that were taken or distributed without the subject's consent, to be an invasion of privacy, especially when such material presents a safety risk to the subject. - #### Sexually obscene content Don’t post content that is pornographic. This does not mean that all nudity, or all code and content related to sexuality, is prohibited. We recognize that sexuality is a part of life and non-pornographic sexual content may be a part of your project, or may be presented for educational or artistic purposes. We do not allow obscene sexual content or content that may involve the exploitation or sexualization of minors. - #### Gratuitously violent content Don’t post violent images, text, or other content without reasonable context or warnings. While it's often okay to include violent content in video games, news reports, and descriptions of historical events, we do not allow violent content that is posted indiscriminately, or that is posted in a way that makes it difficult for other users to avoid (such as a profile avatar or an issue comment). A clear warning or disclaimer in other contexts helps users make an educated decision as to whether or not they want to engage with such content. - #### Misinformation and disinformation You may not post content that presents a distorted view of reality, whether it is inaccurate or false (misinformation) or is intentionally deceptive (disinformation) where such content is likely to result in harm to the public or to interfere with fair and equal opportunities for all to participate in public life. For example, we do not allow content that may put the well-being of groups of people at risk or limit their ability to take part in a free and open society. We encourage active participation in the expression of ideas, perspectives, and experiences and may not be in a position to dispute personal accounts or observations. We generally allow parody and satire that is in line with our Acceptable Use Polices, and we consider context to be important in how information is received and understood; therefore, it may be appropriate to clarify your intentions via disclaimers or other means, as well as the source(s) of your information. - #### Active malware or exploits Being part of a community includes not taking advantage of other members of the community. We do not allow anyone to use our platform in support of active attacks that cause harm, such as using GitHub as a means to deliver malicious executables, or as attack infrastructure, for example by organizing denial of service attacks or managing command and control servers. Note, however, that GitHub supports the posting of content which is used for research into vulnerabilities, malware or exploits, as the publication and distribution of such content has educational value and provides a net benefit to the security community. We recommend that repository owners take the following steps when posting potentially harmful content for the purposes of security research: * Clearly identify and describe any potentially harmful content in a disclaimer in the project’s README.md file. * Provide a preferred contact method for any 3rd party abuse inquiries through a SECURITY.md file in the repository (e.g. "Please create an issue on this repository for any questions or concerns"). Such a contact method allows 3rd parties to reach out to project maintainers directly and potentially resolve concerns without the need to file abuse reports. We allow dual use content and assume positive intention and use of these projects to promote and drive improvements across the ecosystem. In rare cases of very widespread abuse of dual use content, we may restrict access to that specific instance of the content to disrupt an ongoing unlawful attack or malware campaign. Restriction is aimed at disrupting ongoing attack or malware campaigns and where possible takes the form of putting the content behind authentication, but may, as an option of last resort, involve a full removal where this is not possible (e.g. when posted as a gist) or if the content is posted by the account owner as part of a direct participation in unlawful attack or malware campaigns that are causing technical harms. We will contact the project owner in an effort to discuss and collaborate on any such response. The goal is to hinder the proliferation of a specific unlawful active attack or malware campaign that is causing technical harm, and does not serve the purpose of purging or restricting any specific dual use content, or copies of that content, from the platform in perpetuity. While we aim to make these rare cases of restriction a collaborative process with project owners, if you do feel your content was unduly restricted, we have an appeals process in place (See "Appeal and Reinstatement") *GitHub considers the npm registry to be a platform used primarily for installation and run-time use of code, and not for research.* ### What happens if someone breaks the rules? There are a variety of actions that we may take when a user reports inappropriate behavior or content. It usually depends on the exact circumstances of a particular case. We recognize that sometimes people may say or do inappropriate things for any number of reasons. Perhaps they did not realize how their words would be perceived. Or maybe they just let their emotions get the best of them. Of course, sometimes, there are folks who just want to spam or cause trouble. Each case requires a different approach, and we try to tailor our response to meet the needs of the situation that has been reported. We'll review each abuse report on a case-by-case basis. In each case, we will have a diverse team investigate the content and surrounding facts and respond as appropriate, using these guidelines to guide our decision. Actions we may take in response to an abuse report include but are not limited to: * Content Removal * Content Blocking * Account Suspension * Account Termination ### Appeal and Reinstatement In some cases there may be a basis to reverse an action, for example, based on additional information a user provided, or where a user has addressed the violation and agreed to abide by our Acceptable Use Policies moving forward. If you wish to appeal an enforcement action, please contact [support](https://support.github.com/contact). ### Legal Notices We dedicate these Community Guidelines to the public domain for anyone to use, reuse, adapt, or whatever, under the terms of [CC0-1.0](https://creativecommons.org/publicdomain/zero/1.0/). These are only guidelines; they do not modify our [Terms of Service](/articles/github-terms-of-service/) and are not intended to be a complete list. GitHub retains full discretion under the [Terms of Service](/articles/github-terms-of-service/#c-acceptable-use) to remove any content or terminate any accounts for activity that violates our Terms on Acceptable Use. These guidelines describe when we will exercise that discretion. We look forward to your continued contributions and comments as we continue to iterate based on your feedback. If the community strongly prefers to leave our [AUP and CG](https://docs.github.com/en/github/site-policy/github-community-guidelines) as it currently exists in place, we are also open to that feedback. --- Policies/github-community-guidelines.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/Policies/github-community-guidelines.md b/Policies/github-community-guidelines.md index 9dfc950a..9ebfd327 100644 --- a/Policies/github-community-guidelines.md +++ b/Policies/github-community-guidelines.md @@ -81,15 +81,14 @@ We are committed to maintaining a community where users are free to express them - #### Active malware or exploits Being part of a community includes not taking advantage of other members of the community. We do not allow anyone to use our platform in support of active attacks that cause harm, such as using GitHub as a means to deliver malicious executables, or as attack infrastructure, for example by organizing denial of service attacks or managing command and control servers. - Note, however, that GitHub supports the posting of content which is used for research into vulnerabilities, malware or exploits, as the publication and distribution of such content has educational value and provides a net benefit to the security community. We ask that repository owners take the following steps when posting potentially harmful content for the purposes of security research: + Note, however, that GitHub supports the posting of content which is used for research into vulnerabilities, malware or exploits, as the publication and distribution of such content has educational value and provides a net benefit to the security community. We recommend that repository owners take the following steps when posting potentially harmful content for the purposes of security research: - * Clearly identify and describe any potentially harmful content in a disclaimer in the project’s README.md file. - * Provide a designated security contact through a SECURITY.md file in the repository. + * Clearly identify and describe any potentially harmful content in a disclaimer in the project’s README.md file. + * Provide a preferred contact method for any 3rd party abuse inquiries through a SECURITY.md file in the repository (e.g. "Please create an issue on this repository for any questions or concerns"). Such a contact method allows 3rd parties to reach out to project maintainers directly and potentially resolve concerns without the need to file abuse reports. - Please also note, GitHub will generally not remove exploits in support of vulnerability reporting or security research into known vulnerabilities. However, GitHub may restrict content if we determine that it still poses a risk where we receive active abuse reports and maintainers are working toward resolution. - - *GitHub considers the npm registry to be a platform used primarily for installation and run-time use of code, and not for research.* + We allow dual use content and assume positive intention and use of these projects to promote and drive improvements across the ecosystem. In rare cases of very widespread abuse of dual use content, we may restrict access to that specific instance of the content to disrupt an ongoing unlawful attack or malware campaign. Restriction is aimed at disrupting ongoing attack or malware campaigns and where possible takes the form of putting the content behind authentication, but may, as an option of last resort, involve a full removal where this is not possible (e.g. when posted as a gist) or if the content is posted by the account owner as part of a direct participation in unlawful attack or malware campaigns that are causing technical harms. We will contact the project owner in an effort to discuss and collaborate on any such response. The goal is to hinder the proliferation of a specific unlawful active attack or malware campaign that is causing technical harm, and does not serve the purpose of purging or restricting any specific dual use content, or copies of that content, from the platform in perpetuity. While we aim to make these rare cases of restriction a collaborative process with project owners, if you do feel your content was unduly restricted, we have an appeals process in place (See "Appeal and Reinstatement") + *GitHub considers the npm registry to be a platform used primarily for installation and run-time use of code, and not for research.* ### What happens if someone breaks the rules? From 55fd371fb0a360208c7cbc447b1921f4daf33a99 Mon Sep 17 00:00:00 2001 From: Abby Vollmer Date: Thu, 20 May 2021 14:58:26 -0700 Subject: [PATCH 07/11] Update github-acceptable-use-policies.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Thanks very much for the continued contributions to this PR. As we continue to listen and iterate based on community feedback, we’ve incorporated many of your code review suggestions in this latest set of revisions to our proposed updates to the Acceptable Use Policies (AUP) and Community Guidelines, to: - More clearly and narrowly define the scope of platform abuse - Move examples of abusive content (such as using the platform to manage command and control servers) back to the Acceptable Use Policies - Broadly and explicitly exempt dual use technology and elaborate on this exemption early on in our Community Guidelines - Remove redundancy in the elaboration of the policy in the Community Guidelines - Move examples of what we mean by technical harms to the Community Guidelines - Clearly indicate in which cases of platform abuse restrictions might apply, and what form those restrictions take - Further clarify that our SECURITY.md contact recommendation is not a requirement :eyes: at the changes https://github.com/github/site-policy/pull/397/files and read below for more details. For a full summary of previous iterations and updates based on your feedback so far, please see the [opening PR comment](https://github.com/github/site-policy/pull/397#issue-626295321), which we've updated with that history. *** Again, the goal of these updates is to remove any overly broad restrictions on dual use technology on GitHub as it exists in our current policy, and to provide clear guidelines for both ourselves and the security community as a whole that enable, welcome and encourage security research and collaboration on our platform. As we draw closer to the end of our 30-day comment period on June 1, 2021, we invite your continued discussion and feedback on these changes. If you have direct updates to the AUP or Community Guidelines language you’d like to propose, we strongly encourage the use of commit suggestions in your PR comments. We would like to thank the community members, project maintainers, and developers who have shared feedback with us in the PR and have reached out for live discussions on this topic. Your feedback and suggestions have been tremendously valuable throughout this process. ✨ --- Policies/github-acceptable-use-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Policies/github-acceptable-use-policies.md b/Policies/github-acceptable-use-policies.md index 0916a173..9347dcc5 100644 --- a/Policies/github-acceptable-use-policies.md +++ b/Policies/github-acceptable-use-policies.md @@ -31,7 +31,7 @@ Under no circumstances will Users upload, post, host, execute, or transmit any C - is or contains false, inaccurate, or intentionally deceptive information that is likely to adversely affect the public interest (including health, safety, election integrity, and civic participation); -- directly supports unlawful active attack or malware campaigns that are causing technical harms such as overconsumption of resources, physical damage, downtime, denial of service, or data loss, with no implicit or explicit dual-use purpose prior to the abuse occurring; or +- directly supports unlawful active attack or malware campaigns that are causing technical harms — such as using our platform to deliver malicious executables or as attack infrastructure, for example by organizing denial of service attacks or managing command and control servers — with no implicit or explicit dual-use purpose prior to the abuse occurring; or - infringes any proprietary right of any party, including patent, trademark, trade secret, copyright, right of publicity, or other right. From 956f0f6dbde483c0cb3baeef0f5765ebdd653d88 Mon Sep 17 00:00:00 2001 From: Abby Vollmer Date: Thu, 20 May 2021 15:02:04 -0700 Subject: [PATCH 08/11] Update github-community-guidelines.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Thanks very much for the continued contributions to this PR. As we continue to listen and iterate based on community feedback, we’ve incorporated many of your code review suggestions in this latest set of revisions to our proposed updates to the Acceptable Use Policies (AUP) and Community Guidelines, to: - More clearly and narrowly define the scope of platform abuse - Move examples of abusive content (such as using the platform to manage command and control servers) back to the Acceptable Use Policies - Broadly and explicitly exempt dual use technology and elaborate on this exemption early on in our Community Guidelines - Remove redundancy in the elaboration of the policy in the Community Guidelines - Move examples of what we mean by technical harms to the Community Guidelines - Clearly indicate in which cases of platform abuse restrictions might apply, and what form those restrictions take - Further clarify that our SECURITY.md contact recommendation is not a requirement :eyes: at the changes https://github.com/github/site-policy/pull/397/files and read below for more details. For a full summary of previous iterations and updates based on your feedback so far, please see the [opening PR comment](https://github.com/github/site-policy/pull/397#issue-626295321), which we've updated with that history. *** Again, the goal of these updates is to remove any overly broad restrictions on dual use technology on GitHub as it exists in our current policy, and to provide clear guidelines for both ourselves and the security community as a whole that enable, welcome and encourage security research and collaboration on our platform. As we draw closer to the end of our 30-day comment period on June 1, 2021, we invite your continued discussion and feedback on these changes. If you have direct updates to the AUP or Community Guidelines language you’d like to propose, we strongly encourage the use of commit suggestions in your PR comments. We would like to thank the community members, project maintainers, and developers who have shared feedback with us in the PR and have reached out for live discussions on this topic. Your feedback and suggestions have been tremendously valuable throughout this process. :sparkles: --- Policies/github-community-guidelines.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/Policies/github-community-guidelines.md b/Policies/github-community-guidelines.md index 9ebfd327..b31ab23a 100644 --- a/Policies/github-community-guidelines.md +++ b/Policies/github-community-guidelines.md @@ -79,14 +79,18 @@ We are committed to maintaining a community where users are free to express them You may not post content that presents a distorted view of reality, whether it is inaccurate or false (misinformation) or is intentionally deceptive (disinformation) where such content is likely to result in harm to the public or to interfere with fair and equal opportunities for all to participate in public life. For example, we do not allow content that may put the well-being of groups of people at risk or limit their ability to take part in a free and open society. We encourage active participation in the expression of ideas, perspectives, and experiences and may not be in a position to dispute personal accounts or observations. We generally allow parody and satire that is in line with our Acceptable Use Polices, and we consider context to be important in how information is received and understood; therefore, it may be appropriate to clarify your intentions via disclaimers or other means, as well as the source(s) of your information. - #### Active malware or exploits - Being part of a community includes not taking advantage of other members of the community. We do not allow anyone to use our platform in support of active attacks that cause harm, such as using GitHub as a means to deliver malicious executables, or as attack infrastructure, for example by organizing denial of service attacks or managing command and control servers. + Being part of a community includes not taking advantage of other members of the community. We do not allow anyone to use our platform in direct support of unlawful attacks that cause technical harms, such as using GitHub as a means to deliver malicious executables or as attack infrastructure, for example by organizing denial of service attacks or managing command and control servers. Technical harms [includes/means] overconsumption of resources, physical damage, downtime, denial of service, or data loss, with no implicit or explicit dual-use purpose prior to the abuse occurring. - Note, however, that GitHub supports the posting of content which is used for research into vulnerabilities, malware or exploits, as the publication and distribution of such content has educational value and provides a net benefit to the security community. We recommend that repository owners take the following steps when posting potentially harmful content for the purposes of security research: + Note that GitHub allows dual use content and supports the posting of content that is used for research into vulnerabilities, malware, or exploits, as the publication and distribution of such content has educational value and provides a net benefit to the security community. We assume positive intention and use of these projects to promote and drive improvements across the ecosystem. - * Clearly identify and describe any potentially harmful content in a disclaimer in the project’s README.md file. - * Provide a preferred contact method for any 3rd party abuse inquiries through a SECURITY.md file in the repository (e.g. "Please create an issue on this repository for any questions or concerns"). Such a contact method allows 3rd parties to reach out to project maintainers directly and potentially resolve concerns without the need to file abuse reports. + In rare cases of very widespread abuse of dual use content, we may restrict access to that specific instance of the content to disrupt an ongoing unlawful attack or malware campaign that is leveraging the GitHub platform as an exploit or malware CDN. In most of these instances, restriction takes the form of putting the content behind authentication, but may, as an option of last resort, involve disabling access or full removal where this is not possible (e.g. when posted as a gist). We will also contact the project owners about restrictions put in place where possible. + + Restrictions are temporary where feasible, and do not serve the purpose of purging or restricting any specific dual use content, or copies of that content, from the platform in perpetuity. While we aim to make these rare cases of restriction a collaborative process with project owners, if you do feel your content was unduly restricted, we have an [appeals process](#appeal-and-reinstatement) in place. - We allow dual use content and assume positive intention and use of these projects to promote and drive improvements across the ecosystem. In rare cases of very widespread abuse of dual use content, we may restrict access to that specific instance of the content to disrupt an ongoing unlawful attack or malware campaign. Restriction is aimed at disrupting ongoing attack or malware campaigns and where possible takes the form of putting the content behind authentication, but may, as an option of last resort, involve a full removal where this is not possible (e.g. when posted as a gist) or if the content is posted by the account owner as part of a direct participation in unlawful attack or malware campaigns that are causing technical harms. We will contact the project owner in an effort to discuss and collaborate on any such response. The goal is to hinder the proliferation of a specific unlawful active attack or malware campaign that is causing technical harm, and does not serve the purpose of purging or restricting any specific dual use content, or copies of that content, from the platform in perpetuity. While we aim to make these rare cases of restriction a collaborative process with project owners, if you do feel your content was unduly restricted, we have an appeals process in place (See "Appeal and Reinstatement") + To facilitate a path to abuse resolution with project maintainers themselves, prior to escalation to GitHub abuse reports,we recommend, but do not require, that repository owners take the following steps when posting potentially harmful security research content: + + * Clearly identify and describe any potentially harmful content in a disclaimer in the project’s README.md file or source code comments. + * Provide a preferred contact method for any 3rd party abuse inquiries through a SECURITY.md file in the repository (e.g. "Please create an issue on this repository for any questions or concerns"). Such a contact method allows 3rd parties to reach out to project maintainers directly and potentially resolve concerns without the need to file abuse reports. *GitHub considers the npm registry to be a platform used primarily for installation and run-time use of code, and not for research.* From 9cc8c707d0888aba4d86f5936b2a95470002741f Mon Sep 17 00:00:00 2001 From: Abby Vollmer Date: Tue, 1 Jun 2021 09:48:23 -0700 Subject: [PATCH 09/11] fix typos --- Policies/github-community-guidelines.md | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/Policies/github-community-guidelines.md b/Policies/github-community-guidelines.md index b31ab23a..75e939a9 100644 --- a/Policies/github-community-guidelines.md +++ b/Policies/github-community-guidelines.md @@ -6,8 +6,8 @@ redirect_from: versions: free-pro-team: '*' topics: - - policy - - legal + - Policy + - Legal --- Millions of developers host millions of projects on GitHub — both open and closed source — and we're honored to play a part in enabling collaboration across the community every day. Together, we all have an exciting opportunity and responsibility to make this a community we can be proud of. @@ -79,20 +79,21 @@ We are committed to maintaining a community where users are free to express them You may not post content that presents a distorted view of reality, whether it is inaccurate or false (misinformation) or is intentionally deceptive (disinformation) where such content is likely to result in harm to the public or to interfere with fair and equal opportunities for all to participate in public life. For example, we do not allow content that may put the well-being of groups of people at risk or limit their ability to take part in a free and open society. We encourage active participation in the expression of ideas, perspectives, and experiences and may not be in a position to dispute personal accounts or observations. We generally allow parody and satire that is in line with our Acceptable Use Polices, and we consider context to be important in how information is received and understood; therefore, it may be appropriate to clarify your intentions via disclaimers or other means, as well as the source(s) of your information. - #### Active malware or exploits - Being part of a community includes not taking advantage of other members of the community. We do not allow anyone to use our platform in direct support of unlawful attacks that cause technical harms, such as using GitHub as a means to deliver malicious executables or as attack infrastructure, for example by organizing denial of service attacks or managing command and control servers. Technical harms [includes/means] overconsumption of resources, physical damage, downtime, denial of service, or data loss, with no implicit or explicit dual-use purpose prior to the abuse occurring. + Being part of a community includes not taking advantage of other members of the community. We do not allow anyone to use our platform in direct support of unlawful attacks that cause technical harms, such as using GitHub as a means to deliver malicious executables or as attack infrastructure, for example by organizing denial of service attacks or managing command and control servers. Technical harms means overconsumption of resources, physical damage, downtime, denial of service, or data loss, with no implicit or explicit dual-use purpose prior to the abuse occurring. - Note that GitHub allows dual use content and supports the posting of content that is used for research into vulnerabilities, malware, or exploits, as the publication and distribution of such content has educational value and provides a net benefit to the security community. We assume positive intention and use of these projects to promote and drive improvements across the ecosystem. + Note that GitHub allows dual-use content and supports the posting of content that is used for research into vulnerabilities, malware, or exploits, as the publication and distribution of such content has educational value and provides a net benefit to the security community. We assume positive intention and use of these projects to promote and drive improvements across the ecosystem. - In rare cases of very widespread abuse of dual use content, we may restrict access to that specific instance of the content to disrupt an ongoing unlawful attack or malware campaign that is leveraging the GitHub platform as an exploit or malware CDN. In most of these instances, restriction takes the form of putting the content behind authentication, but may, as an option of last resort, involve disabling access or full removal where this is not possible (e.g. when posted as a gist). We will also contact the project owners about restrictions put in place where possible. + In rare cases of very widespread abuse of dual-use content, we may restrict access to that specific instance of the content to disrupt an ongoing unlawful attack or malware campaign that is leveraging the GitHub platform as an exploit or malware CDN. In most of these instances, restriction takes the form of putting the content behind authentication, but may, as an option of last resort, involve disabling access or full removal where this is not possible (e.g. when posted as a gist). We will also contact the project owners about restrictions put in place where possible. - Restrictions are temporary where feasible, and do not serve the purpose of purging or restricting any specific dual use content, or copies of that content, from the platform in perpetuity. While we aim to make these rare cases of restriction a collaborative process with project owners, if you do feel your content was unduly restricted, we have an [appeals process](#appeal-and-reinstatement) in place. + Restrictions are temporary where feasible, and do not serve the purpose of purging or restricting any specific dual-use content, or copies of that content, from the platform in perpetuity. While we aim to make these rare cases of restriction a collaborative process with project owners, if you do feel your content was unduly restricted, we have an [appeals process](#appeal-and-reinstatement) in place. - To facilitate a path to abuse resolution with project maintainers themselves, prior to escalation to GitHub abuse reports,we recommend, but do not require, that repository owners take the following steps when posting potentially harmful security research content: + To facilitate a path to abuse resolution with project maintainers themselves, prior to escalation to GitHub abuse reports, we recommend, but do not require, that repository owners take the following steps when posting potentially harmful security research content: - * Clearly identify and describe any potentially harmful content in a disclaimer in the project’s README.md file or source code comments. - * Provide a preferred contact method for any 3rd party abuse inquiries through a SECURITY.md file in the repository (e.g. "Please create an issue on this repository for any questions or concerns"). Such a contact method allows 3rd parties to reach out to project maintainers directly and potentially resolve concerns without the need to file abuse reports. + * Clearly identify and describe any potentially harmful content in a disclaimer in the project’s README.md file or source code comments. + * Provide a preferred contact method for any 3rd party abuse inquiries through a SECURITY.md file in the repository (e.g. "Please create an issue on this repository for any questions or concerns"). Such a contact method allows 3rd parties to reach out to project maintainers directly and potentially resolve concerns without the need to file abuse reports. + + *GitHub considers the npm registry to be a platform used primarily for installation and run-time use of code, and not for research.* - *GitHub considers the npm registry to be a platform used primarily for installation and run-time use of code, and not for research.* ### What happens if someone breaks the rules? From f0740c7e04f30b360db9d4e597c8c70781f17023 Mon Sep 17 00:00:00 2001 From: Abby Vollmer Date: Tue, 1 Jun 2021 09:51:47 -0700 Subject: [PATCH 10/11] update front matter --- Policies/github-acceptable-use-policies.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Policies/github-acceptable-use-policies.md b/Policies/github-acceptable-use-policies.md index 9347dcc5..49837ef5 100644 --- a/Policies/github-acceptable-use-policies.md +++ b/Policies/github-acceptable-use-policies.md @@ -5,8 +5,8 @@ redirect_from: versions: free-pro-team: '*' topics: - - policy - - legal + - Policy + - Legal --- **Short version:** _We host a wide variety of collaborative projects from all over the world, and that collaboration only works when our users are able to work together in good faith. While using the Service, you must comply with our Acceptable Use Policies, which include some restrictions on content you can post, conduct on the service, and other limitations. In short, be excellent to each other._ From 6d87bd5913c5b39a6a4b3347a61f0310438c0999 Mon Sep 17 00:00:00 2001 From: Abby Vollmer Date: Fri, 4 Jun 2021 08:56:46 -0700 Subject: [PATCH 11/11] link to Community Guidelines section directly from AUP section on malware --- Policies/github-acceptable-use-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Policies/github-acceptable-use-policies.md b/Policies/github-acceptable-use-policies.md index 223bf113..2b92e421 100644 --- a/Policies/github-acceptable-use-policies.md +++ b/Policies/github-acceptable-use-policies.md @@ -31,7 +31,7 @@ Under no circumstances will Users upload, post, host, execute, or transmit any C - is or contains false, inaccurate, or intentionally deceptive information that is likely to adversely affect the public interest (including health, safety, election integrity, and civic participation); -- directly supports unlawful active attack or malware campaigns that are causing technical harms — such as using our platform to deliver malicious executables or as attack infrastructure, for example by organizing denial of service attacks or managing command and control servers — with no implicit or explicit dual-use purpose prior to the abuse occurring; or +- directly supports [unlawful active attack or malware campaigns](/github/site-policy/github-community-guidelines#active-malware-or-exploits) that are causing technical harms — such as using our platform to deliver malicious executables or as attack infrastructure, for example by organizing denial of service attacks or managing command and control servers — with no implicit or explicit dual-use purpose prior to the abuse occurring; or - shares unauthorized product licensing keys, software for generating unauthorized product licensing keys, or software for bypassing checks for product licensing keys, including extension of a free license beyond its trial period; or