GitHub has posted changes to its policies regarding exploit posting and malware research results, and compliance with the US Digital Millennium Copyright Act (DMCA). The changes are still in a draft state, available for discussion within 30 days.
The following conditions have been added to the DMCA compliance rules, in addition to the previously existing prohibition of distribution and ensuring the installation or delivery of active malware and exploits, the following conditions have been added:
- Explicitly prohibiting the placement in the repository of technologies to bypass technical means of copyright protection, including license keys, as well as programs for generating keys, bypassing key verification and extending the free period.
- The procedure for filing an application for the removal of such a code is being introduced. The applicant for removal is required to provide technical details, with a declared intent to submit this application for examination before blocking.
- When the repository is blocked, they promise to provide the ability to export issues and PRs, and offer legal services.
The changes made to the exploits and malware policy take into account the criticism that came after Microsoft removed a prototype exploit for Microsoft Exchange used to carry out attacks. The new rules attempt to explicitly separate dangerous content used for active attacks from code that accompanies security research. Changes made:
- Not only is it forbidden to attack GitHub users by posting exploit content or using GitHub as a delivery vehicle for exploits, as it used to be, but also to post malicious code and exploits that accompany active attacks. In general, it is not forbidden to post examples of exploits prepared in the course of security research and affecting already fixed vulnerabilities, but everything will depend on how the term "active attacks" is interpreted.
For example, publishing JavaScript source code in any form that attacks the browser falls under this criterion - nothing prevents an attacker from downloading the source code to the victim's browser with a fetch, automatically patching if the exploit prototype is published in an inoperable form, and executing. Similarly, with any other code, for example, in C ++, nothing prevents it from being compiled on the attacked machine and executed. If a repository with such code is found, it is planned not to delete it, but to block access to it.
- The section prohibiting βspamβ, cheating, participation in the cheating market, programs for violating the rules of any sites, phishing and its attempts has been moved higher in the text.
- Added a paragraph explaining the possibility of filing an appeal in case of disagreement with the blocking.
- Added a requirement for owners of repositories hosting potentially dangerous content as part of security research. The presence of such content must be explicitly mentioned at the beginning of the README.md file, and contact information must be provided in the SECURITY.md file. It is indicated that, in general, GitHub does not remove exploits published along with security studies for already disclosed vulnerabilities (not 0-day), but reserves the ability to restrict access if it considers that there is still a risk of using these exploits for real attacks and in the service GitHub support is receiving complaints about code being used for attacks.
Source: opennet.ru