“Not each legitimate submission represents a significant safety danger. Some reviews establish hardening alternatives or documentation gaps,” Jarom Brown, a senior safety researcher at GitHub, wrote in a blog post.
On high of that, he stated, lots of the reviews GitHub receives describe out-of-scope eventualities through which somebody experiences an “undesirable” end result after interacting with malicious content material in GitHub.
“These reviews are sometimes well-written and technically correct of their observations, however they misunderstand the place the safety boundary lies. When an ‘assault’ requires the sufferer to actively search out and interact with attacker-controlled content material (cloning a malicious repo, asking an AI device to investigate untrusted code, opening a crafted file), the safety boundary is the consumer’s choice to belief that content material. These eventualities typically don’t characterize a bypass of GitHub’s safety controls,” he wrote.
Brown’s clarification additionally serves as a reminder to GitHub customers of what the corporate expects them to do to guard themselves.