April 30, 2021 update: Thank you to everyone who’s weighed in on the discussion so far. I’ve commented in the pull request to clarify a few points based on initial feedback. Keep the comments coming.

We’re calling for feedback on our policy around security research, malware, and exploits on the platform so that the security community can collaborate on GitHub under a clearer set of terms. We want to be more clear about our expectations for keeping GitHub, and the various package registries that call GitHub home, a safe community.

Our policy updates focus on the difference between actively harmful content, which is not allowed on the platform, and at-rest code in support of security research, which is welcome and encouraged. These updates also focus on removing ambiguity in how we use terms like “exploit,” “malware,” and “delivery” to promote clarity of both our expectations and intentions. We’ve opened a pull request for public comment and invite security researchers and developers to collaborate with us on these clarifications and help us better understand the needs of the community.

Open security research should thrive on the GitHub platform. We believe that open communication and collaboration in security research are crucial to software security as a whole, and strive to be an open and impartial platform for security research.

We want GitHub to be the place that security researchers call home, and we hope improving the clarity of our terms in collaboration with the community will serve that goal. These updates are aimed to set clear parameters for the security research community on how GitHub responds to abuse reports relating to malware and exploits on the platform, as well as provide transparency into how GitHub decides whether or not to place restrictions on projects.

You can review our proposed clarifications regarding exploits and malware on GitHub in our site-policy repository, where we continually develop and make updates to our policies collaboratively with the community. We invite all community stakeholders to comment for the 30-day period from now until 10am PT on June 1 2021 and look forward to learning from and engaging with the broader community on these topics.