GitHub, the super popular source code management platform, has climbed to the position of the world’s largest code repository with its useful features and user-friendly interface, and now hosts more than 80 million source code repositories. Companies and individuals alike use GitHub to store and manage source code, keeping software development projects running smoothly.

Security researcher Nguyen Jang uploaded the Microsoft Exchange ProxyLogon proof-of-concept vulnerability (PoC) to GitHub in March, and GitHub deleted the PoC shortly after, saying it was to protect Microsoft Exchange servers that were heavily exploited at the time.

Security personnel then attacked it, arguing that GitHub was regulating the disclosure of legitimate security research simply because it affected Microsoft’s products.

In April, GitHub issued a “call for feedback” to the cybersecurity community regarding their policy on malware and vulnerabilities hosted on GitHub.

Recently, GitHub issued guidelines officially announcing that it prohibits hosting malware for malicious activities, acting as a command and control server, and repositories created to distribute malicious scripts. However, PoC vulnerabilities and malware for purposes such as active sharing of new information and security research are allowed.

We expressly allow security technologies, as well as content related to researching exploits, malware and exploits. We understand that many security research projects on GitHub are well-intentioned and broadly beneficial to the security community.

We have clarified how and when an ongoing attack that exploits the GitHub platform as a vulnerability or malware content delivery network (CDN) can be disrupted. We do not allow the use of GitHub to directly support illegal attacks that cause technical damage.

We have an appeals and recovery process directly in this policy. We allow users to appeal decisions to restrict access to their content or accounts.

We propose a way for parties to resolve disputes before reporting abuse to GitHub. This comes in the form of a suggestion to utilize the project’s optional SECURITY.md file to provide contact information to address abuse reports.

GitHub says they will continue to support community feedback on their policies to continue improving their policies.

Some netizens agreed with this move very much, thinking: “There is nothing wrong with the PoC or Exploit of each CVE being open sourced after the vulnerability is fixed.”

However, some netizens think this policy is very dangerous, and think this: “what to do after malicious software is compiled and run maliciously” “will become a way to learn to write malware”.

Some users have raised their own questions about this move: “How to define whether it is for security?” “Will it cause virus Trojan horses to appear in the open source community?”

What do you think of this move against GitHub?