Exploits and malware policy updates

Policies/github-acceptable-use-policies.md

@@ -17,7 +17,7 @@ Capitalized terms used but not defined in these Acceptable Use Policies have the
 You are responsible for using the Service in compliance with all applicable laws, regulations, and all of our Acceptable Use Policies. These policies may be updated from time to time and are provided below, as well as in our [Terms of Service](/articles/github-terms-of-service) and [Corporate Terms of Service](/articles/github-corporate-terms-of-service).
 
 ### 2. Content Restrictions
-Under no circumstances will Users upload, post, host, execute, or transmit any Content to any repositories that:
+Under no circumstances will Users upload, post, host, execute, or transmit any Content that:
 
 - is unlawful or promotes unlawful activities;
 
@@ -31,7 +31,7 @@ Under no circumstances will Users upload, post, host, execute, or transmit any C
 
 - is or contains false, inaccurate, or intentionally deceptive information that is likely to adversely affect the public interest (including health, safety, election integrity, and civic participation);
 
-- contains or installs any active malware or exploits, or uses our platform for exploit delivery (such as part of a command and control system); or
+- contains or installs malware or exploits that are in support of ongoing and active attacks that are causing harm; or
 
 - infringes any proprietary right of any party, including patent, trademark, trade secret, copyright, right of publicity, or other right.
 
@@ -50,10 +50,21 @@ While using the Service, under no circumstances will you:
 
 - violate the privacy of any third party, such as by posting another person's personal information without consent.
 
-### 4. Services Usage Limits
+### 4. Spam and Inauthentic Activity on GitHub
+Automated excessive bulk activity and coordinated inauthentic activity, such as spamming, are prohibited on GitHub. Prohibited activities include:
+* bulk distribution of promotions and advertising prohibited by GitHub terms and policies
+* inauthentic interactions, such as fake accounts and automated inauthentic activity
+* rank abuse, such as automated starring or following
+* creation of or participation in secondary markets for the purpose of the proliferation of inauthentic activity
+* using GitHub as a platform for propagating abuse on other platforms
+* phishing or attempted phishing
+
+GitHub reserves the right to remove any Content in violation of this policy.
+
+### 5. Services Usage Limits
 You will not reproduce, duplicate, copy, sell, resell or exploit any portion of the Service, use of the Service, or access to the Service without our express written permission.
 
-### 5. Information Usage Restrictions
+### 6. Information Usage Restrictions
 You may use information from our Service for the following reasons, regardless of whether the information was scraped, collected through our API, or obtained otherwise:
 
 -  Researchers may use public, non-personal information from the Service for research purposes, only if any publications resulting from that research are [open access](https://en.wikipedia.org/wiki/Open_access).
@@ -65,15 +76,15 @@ You may not use information from the Service (whether scraped, collected through
 
 Your use of information from the Service must comply with the [GitHub Privacy Statement](/github/site-policy/github-privacy-statement).
 
-### 6. Privacy
+### 7. Privacy
 Misuse of User Personal Information is prohibited.
 
 Any person, entity, or service collecting data from the Service must comply with the [GitHub Privacy Statement](/articles/github-privacy-statement), particularly in regards to the collection of User Personal Information. If you collect any User Personal Information from the Service, you agree that you will only use that User Personal Information for the purpose for which that User has authorized it. You agree that you will reasonably secure any User Personal Information you have gathered from the Service, and you will respond promptly to complaints, removal requests, and "do not contact" requests from us or other users.
 
-### 7. Excessive Bandwidth Use
+### 8. Excessive Bandwidth Use
 The Service's bandwidth limitations vary based on the features you use. If we determine your bandwidth usage to be significantly excessive in relation to other users of similar features, we reserve the right to suspend your Account, throttle your file hosting, or otherwise limit your activity until you can reduce your bandwidth consumption. We also reserve the right—after providing advance notice—to delete repositories that we determine to be placing undue strain on our infrastructure. For guidance on acceptable use of object storage in repositories, refer to "[What is my disk quota?](/github/managing-large-files/what-is-my-disk-quota)". For more details on specific features' bandwidth limitations, see the [GitHub Additional Product Terms](/github/site-policy/github-additional-product-terms).
 
-### 8. Advertising on GitHub
+### 9. Advertising on GitHub
 **Short version:** *We do not generally prohibit use of GitHub for advertising. However, we expect our users to follow certain limitations, so GitHub does not become a spam haven. No one wants that.*
 
 While we understand that you may want to promote your Content by posting supporters' names or logos in your Account, the primary focus of the Content posted in or through your Account to the Service should not be advertising or promotional marketing. This includes Content posted in or through Pages, Packages, repositories, and all other parts of the Service. You may include static images, links, and promotional text in the README documents or project description sections associated with your Account, but they must be related to the project you are hosting on GitHub. You may not advertise in other Users' Accounts, such as by posting monetized or excessive bulk content in issues.
@@ -82,16 +93,5 @@ You may not promote or distribute content or activity that is illegal or otherwi
 
 If you decide to post any promotional materials in your Account, you are solely responsible for complying with all applicable laws and regulations, including without limitation the U.S. Federal Trade Commission's Guidelines on Endorsements and Testimonials. We reserve the right to remove any promotional materials or advertisements that, in our sole discretion, violate any GitHub terms or policies.
 
-### 9. Spam and Inauthentic Activity on GitHub
-Automated excessive bulk activity and coordinated inauthentic activity, such as spamming, are prohibited on GitHub. Prohibited activities include:
-* bulk distribution of promotions and advertising prohibited by GitHub terms and policies
-* inauthentic interactions, such as fake accounts and automated inauthentic activity
-* rank abuse, such as automated starring or following
-* creation of or participation in secondary markets for the purpose of the proliferation of inauthentic activity
-* using GitHub as a platform for propagating abuse on other platforms
-* phishing or attempted phishing
-
-GitHub reserves the right to remove any Content in violation of this policy.
-
 ### 10. User Protection
 You must not engage in activity that significantly harms other users. We will resolve disputes in favor of protecting users as a whole.

Policies/github-community-guidelines.md

@@ -79,7 +79,16 @@ We are committed to maintaining a community where users are free to express them
    You may not post content that presents a distorted view of reality, whether it is inaccurate or false (misinformation) or is intentionally deceptive (disinformation) where such content is likely to result in harm to the public or to interfere with fair and equal opportunities for all to participate in public life. For example, we do not allow content that may put the well-being of groups of people at risk or limit their ability to take part in a free and open society. We encourage active participation in the expression of ideas, perspectives, and experiences and may not be in a position to dispute personal accounts or observations. We generally allow parody and satire that is in line with our Acceptable Use Polices, and we consider context to be important in how information is received and understood; therefore, it may be appropriate to clarify your intentions via disclaimers or other means, as well as the source(s) of your information.
 
 - #### Active malware or exploits
-   Being part of a community includes not taking advantage of other members of the community. We do not allow anyone to use our platform for exploit delivery, such as using GitHub as a means to deliver malicious executables, or as attack infrastructure, for example by organizing denial of service attacks or managing command and control servers. Note, however, that we do not prohibit the posting of source code which could be used to develop malware or exploits, as the publication and distribution of such source code has educational value and provides a net benefit to the security community.
+   Being part of a community includes not taking advantage of other members of the community. We do not allow anyone to use our platform in support of active attacks that cause harm, such as using GitHub as a means to deliver malicious executables, or as attack infrastructure, for example by organizing denial of service attacks or managing command and control servers.
+
+  Note, however, that GitHub supports the posting of content which is used for research into vulnerabilities, malware or exploits, as the publication and distribution of such content has educational value and provides a net benefit to the security community. We ask that repository owners take the following steps when posting potentially harmful content for the purposes of security research:
+
+  * Clearly identify and describe any potentially harmful content in a disclaimer in the project’s README.md file.
+  * Provide a designated security contact through a SECURITY.md file in the repository.
+
+  Please also note, GitHub will generally not remove exploits in support of vulnerability reporting or security research into known vulnerabilities. However, GitHub may restrict content if we determine that it still poses a risk where we receive active abuse reports and maintainers are working toward resolution.
+
+  *GitHub considers the npm registry to be a platform used primarily for installation and run-time use of code, and not for research.*
 
 
 ### What happens if someone breaks the rules?
@@ -95,6 +104,10 @@ Actions we may take in response to an abuse report include but are not limited t
 * Account Suspension
 * Account Termination
 
+### Appeal and Reinstatement
+
+In some cases there may be a basis to reverse an action, for example, based on additional information a user provided, or where a user has addressed the violation and agreed to abide by our Acceptable Use Policies moving forward. If you wish to appeal an enforcement action, please contact [support](https://support.github.com/contact).
+
 ### Legal Notices
 
 We dedicate these Community Guidelines to the public domain for anyone to use, reuse, adapt, or whatever, under the terms of [CC0-1.0](https://creativecommons.org/publicdomain/zero/1.0/).