GitHub, the popular code repository platform is tweaking its policies to reduce the potential for hackers to abuse the platform. GitHub has pledged to block/ remove any malicious code that hackers are using in any ongoing cyber attack. With the move, GitHub aims to ensure that its platform is not abused, while security researchers can still use it.
Series of Updates
GitHub will issue a series of updates, and has emphasized that it is strictly allowing dual-use security technologies and content related to security research. Dual use- technologies which have the potential to contribute both in positive and a negative manner. Hence, it will allow malware code which is published with positive intentions. But it will block projects/ repositories that may lead to causing harm to others.
Chief Security Officer Mike Hanley said that “We assume positive intention and use of these projects to promote and drive improvements across the ecosystem.” He further added, “We do not allow use of GitHub in direct support of unlawful attacks that cause technical harm, which we’ve further defined as overconsumption of resources, physical damage, downtime, denial of service, or data loss.”
Open- Source Platform
Microsoft owns GitHub, yet it is an open-source platform. As a result, anyone is free to upload their own code or projects and even contribute to the works of others. This nature of the platform has the potential for a malicious actor to manipulate it and use as a malicious file delivery, or command and control center for cyber attacks. However, GitHub says its moderators will restrict access to abusive content in order to disrupt ongoing attacks or malware campaigns.
Policies of the platform suggest that it could place abusive content behind an authentication barrier, or even disable access or fully remove projects. It has also established an appeals process for repository owners who can appeal any action taken against their projects.
The policy changes come several weeks after GitHub announced that it wanted to consult with developers over how to improve general security of the ecosystem, while preserving the integrity of security research. Many researchers have in the past raised the issue of hackers uploading malware and adding malicious code to legitimate repositories.
The move comes at a time when the US has started to take major steps to tackle ransomware attacks.