Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exploits and malware policy updates #397

Merged
merged 12 commits into from
Jun 4, 2021
6 changes: 4 additions & 2 deletions Policies/github-acceptable-use-policies.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ Capitalized terms used but not defined in these Acceptable Use Policies have the
You are responsible for using the Service in compliance with all applicable laws, regulations, and all of our Acceptable Use Policies. These policies may be updated from time to time and are provided below, as well as in our [Terms of Service](/articles/github-terms-of-service) and [Corporate Terms of Service](/articles/github-corporate-terms-of-service).

### 2. Content Restrictions
Under no circumstances will Users upload, post, host, execute, or transmit any Content to any repositories that:
Under no circumstances will Users upload, post, host, execute, or transmit any Content that:
vollmera marked this conversation as resolved.
Show resolved Hide resolved

- is unlawful or promotes unlawful activities;

Expand All @@ -31,10 +31,12 @@ Under no circumstances will Users upload, post, host, execute, or transmit any C

- is or contains false, inaccurate, or intentionally deceptive information that is likely to adversely affect the public interest (including health, safety, election integrity, and civic participation);

- contains or installs any active malware or exploits, or uses our platform for exploit delivery (such as part of a command and control system); or
- directly supports unlawful active attack or malware campaigns that are causing technical harms — such as using our platform to deliver malicious executables or as attack infrastructure, for example by organizing denial of service attacks or managing command and control servers — with no implicit or explicit dual-use purpose prior to the abuse occurring; or

- infringes any proprietary right of any party, including patent, trademark, trade secret, copyright, right of publicity, or other right.

Please see our [Community Guidelines](/github/site-policy/github-community-guidelines#what-is-not-allowed) for more details.

### 3. Conduct Restrictions
While using the Service, under no circumstances will you:

Expand Down
18 changes: 17 additions & 1 deletion Policies/github-community-guidelines.md
Original file line number Diff line number Diff line change
Expand Up @@ -79,8 +79,20 @@ We are committed to maintaining a community where users are free to express them
You may not post content that presents a distorted view of reality, whether it is inaccurate or false (misinformation) or is intentionally deceptive (disinformation) where such content is likely to result in harm to the public or to interfere with fair and equal opportunities for all to participate in public life. For example, we do not allow content that may put the well-being of groups of people at risk or limit their ability to take part in a free and open society. We encourage active participation in the expression of ideas, perspectives, and experiences and may not be in a position to dispute personal accounts or observations. We generally allow parody and satire that is in line with our Acceptable Use Polices, and we consider context to be important in how information is received and understood; therefore, it may be appropriate to clarify your intentions via disclaimers or other means, as well as the source(s) of your information.

- #### Active malware or exploits
Being part of a community includes not taking advantage of other members of the community. We do not allow anyone to use our platform for exploit delivery, such as using GitHub as a means to deliver malicious executables, or as attack infrastructure, for example by organizing denial of service attacks or managing command and control servers. Note, however, that we do not prohibit the posting of source code which could be used to develop malware or exploits, as the publication and distribution of such source code has educational value and provides a net benefit to the security community.
Being part of a community includes not taking advantage of other members of the community. We do not allow anyone to use our platform in direct support of unlawful attacks that cause technical harms, such as using GitHub as a means to deliver malicious executables or as attack infrastructure, for example by organizing denial of service attacks or managing command and control servers. Technical harms [includes/means] overconsumption of resources, physical damage, downtime, denial of service, or data loss, with no implicit or explicit dual-use purpose prior to the abuse occurring.

Note that GitHub allows dual use content and supports the posting of content that is used for research into vulnerabilities, malware, or exploits, as the publication and distribution of such content has educational value and provides a net benefit to the security community. We assume positive intention and use of these projects to promote and drive improvements across the ecosystem.

In rare cases of very widespread abuse of dual use content, we may restrict access to that specific instance of the content to disrupt an ongoing unlawful attack or malware campaign that is leveraging the GitHub platform as an exploit or malware CDN. In most of these instances, restriction takes the form of putting the content behind authentication, but may, as an option of last resort, involve disabling access or full removal where this is not possible (e.g. when posted as a gist). We will also contact the project owners about restrictions put in place where possible.

Restrictions are temporary where feasible, and do not serve the purpose of purging or restricting any specific dual use content, or copies of that content, from the platform in perpetuity. While we aim to make these rare cases of restriction a collaborative process with project owners, if you do feel your content was unduly restricted, we have an [appeals process](#appeal-and-reinstatement) in place.

To facilitate a path to abuse resolution with project maintainers themselves, prior to escalation to GitHub abuse reports,we recommend, but do not require, that repository owners take the following steps when posting potentially harmful security research content:

* Clearly identify and describe any potentially harmful content in a disclaimer in the project’s README.md file or source code comments.
* Provide a preferred contact method for any 3rd party abuse inquiries through a SECURITY.md file in the repository (e.g. "Please create an issue on this repository for any questions or concerns"). Such a contact method allows 3rd parties to reach out to project maintainers directly and potentially resolve concerns without the need to file abuse reports.

*GitHub considers the npm registry to be a platform used primarily for installation and run-time use of code, and not for research.*

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this intended to discourage research like "Dependency Confusion" or would this kind of research still be allowed under this policy change?

https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this intended to discourage research like "Dependency Confusion" or would this kind of research still be allowed under this policy change?

https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

GitHub will actively remove typosquatting and dependency confusion attacks from package registries to protect end users. The implication here is that researchers should not have an expectation to keep dependency confusion and typosquatting research up for any prolonged time in package ecosystems such as npm. GitHub is working in the next few months to increase the scope of our bug bounty program to include core npm infrastructure and services. This program will provide a clear path to share future research and vulnerabilities in the npm platform while also offering a way to reward researchers for their work.


### What happens if someone breaks the rules?

Expand All @@ -95,6 +107,10 @@ Actions we may take in response to an abuse report include but are not limited t
* Account Suspension
* Account Termination

### Appeal and Reinstatement

In some cases there may be a basis to reverse an action, for example, based on additional information a user provided, or where a user has addressed the violation and agreed to abide by our Acceptable Use Policies moving forward. If you wish to appeal an enforcement action, please contact [support](https://support.github.com/contact).

### Legal Notices

We dedicate these Community Guidelines to the public domain for anyone to use, reuse, adapt, or whatever, under the terms of [CC0-1.0](https://creativecommons.org/publicdomain/zero/1.0/).
Expand Down