GitHub has removed code for a proof-of-concept (PoC) exploit published by security researcher Nguyen Jang that exploited a vulnerability in Microsoft’s Exchange software that recently came into the limelight.
GitHub’s decision immediately sparked debate in the cybersecurity industry over when security researchers should avoid publishing software vulnerabilities and how software code platforms like GitHub should manage their users.
It’s an unusually sensitive case: Researchers have published vulnerabilities in Exchange Server that are being exploited by hackers in numerous countries, and analysts worry that cybercriminals will also be “reluctant” to abuse them. Some security analysts are concerned that the proof-of-concept exploits released by researcher Nguyen Jang could enable other malicious attackers to exploit them. But Nguyen argues that the release will prompt organizations to patch.
A GitHub spokesperson said the code was removed because it violated the platform’s policy against uploading “active” software exploits.
“We know that the release and distribution of proof-of-concept exploits has educational and research value for the security community, and we aim to balance interests with maintaining the broader ecosystem,” a GitHub spokesperson said.
But Katie Moussouris, CEO of Luta Security, believes the proof-of-concept exploit code could serve to urge organizations to patch the vulnerability. Other analysts countered that some smaller organizations didn’t have the resources to apply the fixes quickly.
Some security experts say it’s not a zero-sum game, and that researchers can actually explore these vulnerabilities without publicly exploiting them. Matt Graeber, director of research at security firm Red Canary, urged researchers not to release exploit code and instead advise users to take defensive measures based on what they know about the exploit.
The Links: NL10276BC30-33D LTM150XH-L01