GitHub will allow malware and exploits for ‘dual-use security research’ anyway

GitHub will no longer remove proofs-of-concept of malware if researchers use them for dual-use. That means active malware campaigns and command-and-control servers can be removed, but a lot of research can remain.

GitHub has tightened the rules around malware and draft versions of malware. From now on, the site explicitly allows ‘dual-use security technologies’ on the platform. The same goes for other research into vulnerabilities, malware and exploits. That “dual use” in this case means malware that is used in active campaigns as well as uploaded by security researchers to learn from it.

Many security researchers post exploits or proofs-of-concept of known malware on the platform so that the community can study exactly how they work. GitHub says that from now on it will be “assuming positive intentions” when researchers upload such dual-use malware.

In the new policy that GitHub has drawn up around those proofs-of-concept, the company writes that content can be removed “in rare cases”. That is the case if GitHub itself is used as a cdn to spread malware or exploits. In such a case, GitHub says it will first choose to restrict access to content by, for example, requiring additional authentication. In such a case, a block is ‘temporary where possible’. Administrators of such repos are therefore informed more quickly of the objection process.

GitHub is responding to the commotion that started in March with the new rules. The platform removed a proof-of-concept of a vulnerability in Exchange, while it was uploaded by a security researcher for educational purposes. Researchers were dissatisfied with that decision, and with GitHub’s general policy of being ambiguous and against researchers. GitHub then said it was questioning its malware policy, which brought the platform back to new criticism. GitHub said it would then enter into discussions with researchers.