“Not each legitimate submission represents a significant security danger. Some reviews establish hardening alternatives or documentation gaps,” Jarom Brown, a senior security researcher at GitHub, wrote in a weblog put up.
On high of that, he stated, most of the reviews GitHub receives describe out-of-scope situations by which somebody experiences an “undesirable” final result after interacting with malicious content material in GitHub.
“These reviews are sometimes well-written and technically correct of their observations, however they misunderstand the place the security boundary lies. When an ‘assault’ requires the sufferer to actively hunt down and have interaction with attacker-controlled content material (cloning a malicious repo, asking an AI software to investigate untrusted code, opening a crafted file), the security boundary is the consumer’s choice to belief that content material. These situations typically don’t characterize a bypass of GitHub’s security controls,” he wrote.
Brown’s rationalization additionally serves as a reminder to GitHub customers of what the corporate expects them to do to guard themselves.
