GitHub, a code hosting service, has modified its regulations on vulnerability research, malware, and exploits to allow for dual-use security research.
Previously, the standards could have been seen as antagonistic toward projects with dual-use material, but the amended guidelines make it clear that GitHub “enables, welcomes, and encourages” dual-use security research — that is, research that can be used for both good and harmful purposes.
The Microsoft-owned site stated, “We clearly permit dual-use security technology and materials linked to research into vulnerabilities, malware, and exploits.”
After certain members of the cybersecurity community expressed concern over the removal of proof-of-concept (PoC) exploit code for various Microsoft Exchange vulnerabilities, GitHub offered certain policy changes. The corporation proposed certain revisions and solicited comments, but many experts deemed the initial improvements to be harmful.
Many of the projects on the platform are dual-use, and GitHub says it recognises the value of this to the security community. In addition, the platform believes that these are used for good, to promote and drive changes.
In addition to stating that dual-use content is allowed, GitHub clarified how and when it will respond to assaults that use the platform as an exploit/malware content delivery network (CDN), emphasising that it will not allow the usage of GitHub in support of illegal activities.
Users can also appeal the code sharing service’s choices to restrict their content or account access, which is an important policy for security researchers.
Furthermore, when filing abuse reports, the platform suggests providing an optional file in projects to provide contact information that can be utilised to resolve problems directly with project maintainers.
GitHub concluded, “We continue to encourage input and improvements on our different site policies and look forward to working with the community to continue to drive improvements in this field.”