Acceptable Use Policies and Community Guidelines updates #528
Conversation
…munity Guidelines
| We do not allow content or activity on GitHub that: | ||
|
|
||
| - directly supports [unlawful active attack or malware campaigns](/github/site-policy/github-active-malware-or-exploits) that are causing technical harms — such as using our platform to deliver malicious executables or as attack infrastructure, for example by organizing denial of service attacks or managing command and control servers — with no implicit or explicit dual-use purpose prior to the abuse occurring; or | ||
| - uses our servers to disrupt or to attempt to disrupt, or to gain or to attempt to gain unauthorized access to, any service, device, data, account or network (unless authorized by the [GitHub Bug Bounty program](https://bounty.github.com)). |
There was a problem hiding this comment.
What about activity that is authorized by other sites' bug bounty programs? Should that be allowed?
There was a problem hiding this comment.
For example, perhaps a security researcher wants to use a dummy page on github pages to test a vulnerability, in a manner authorized by another bug bounty program / vulnerability disclosure policy.
There was a problem hiding this comment.
Thanks for the feedback. We pushed 7aaedb7 to help clarify that activities authorized under bug programs are not considered “unauthorized.”
| * Clearly identify and describe any potentially harmful content in a disclaimer in the project’s README.md file or source code comments. | ||
| * Provide a preferred contact method for any 3rd party abuse inquiries through a SECURITY.md file in the repository (e.g. "Please create an issue on this repository for any questions or concerns"). Such a contact method allows 3rd parties to reach out to project maintainers directly and potentially resolve concerns without the need to file abuse reports. | ||
|
|
||
| *GitHub considers the npm registry to be a platform used primarily for installation and run-time use of code, and not for research.* |
There was a problem hiding this comment.
Why just npm? Consider including a phrase that encompasses other package managers.
There was a problem hiding this comment.
Those have their own policy documents, I suppose
There was a problem hiding this comment.
Not sure what you mean? Do you mean other github policy documents concerning those package managers?
| - Disingenuously participating in conversation in a way that instigates conflict or undermines sincere discussion | ||
| - Creating alternative accounts specifically to evade moderation action taken by GitHub staff or users | ||
|
|
||
| Please note, not all unwelcome conduct is necessarily considered harassment. For example, disagreeing with another user or downvoting their comments may not rise to the level of harassment on our platform. In addition, sharing criticism of public figures or projects, or topics of public interest does not necessarily fall under this policy. However, we encourage you to be mindful in how you engage with other users and the platform, as this activity may still violate our restriction on disrupting the experience of other users. |
There was a problem hiding this comment.
| Please note, not all unwelcome conduct is necessarily considered harassment. For example, disagreeing with another user or downvoting their comments may not rise to the level of harassment on our platform. In addition, sharing criticism of public figures or projects, or topics of public interest does not necessarily fall under this policy. However, we encourage you to be mindful in how you engage with other users and the platform, as this activity may still violate our restriction on disrupting the experience of other users. | |
| Please note, not all unwelcome conduct is necessarily considered harassment. For example, disagreeing with another user or downvoting their comments may not rise to the level of harassment on our platform. In addition, sharing criticism of public figures or projects or topics of public interest does not necessarily fall under this policy. However, we encourage you to be mindful in how you engage with other users and the platform, as this activity may still violate our restriction on disrupting the experience of other users. |
There was a problem hiding this comment.
The proposed change would've altered our meaning, but we added a comma for clarification 💥
| * **Reinstatement**: Where a user wishes to address the violation and is willing to agree to abide by our Acceptable Use Policies moving forward, we may choose to reinstate their account or content depending on the severity of the initial violation. | ||
|
|
||
| ## Appeal and Reinstatement | ||
| * **Appeal**: If a user wishes to dispute the basis of an enforcement action and can provide additional information regarding the alleged violation, we will review that information and may grant the appeal where we determined that a violation did not occur. |
There was a problem hiding this comment.
Who reviews appeals?
Please see https://docs.github.com/github/site-policy/github-appeal-and-reinstatement to learn about how we handle appeals.
| - infringes any proprietary right of any party, including patent, trademark, trade secret, copyright, right of publicity, or other right; | ||
|
|
||
| - post off-topic content, or interact with platform features, in a way that significantly or repeatedly [disrupts the experience of other users](/github/site-policy/github-community-guidelines#disrupting-the-experience-of-other-users); | ||
| - shares unauthorized product licensing keys, software for generating unauthorized product licensing keys, or software for bypassing checks for product licensing keys, including extension of a free license beyond its trial period; |
There was a problem hiding this comment.
I believe there should be an exemption here for interoperability reasons. For example the source of hook dlls to remove invasive DRM which causes games to no longer run on current versions of windows should be allowed.
There was a problem hiding this comment.
We pushed ddd9c0f to add unlawfully before shares to clarify that we don’t intend for this restriction to apply where a legal exemption, such as for the purpose of interoperability, may apply.
|
Thanks for the feedback! The comment period has ended and the changes are now live 🎉 |
In this pull request we're proposing changes to our Acceptable Use Policies (AUP) and Community Guidelines to help make our policies clearer and easier to understand.
Here are the key updates:
What is not Allowedsection of the Community Guidelines to standalone pages linked from specific restrictions in our AUP. They expand on the restrictions and provide specific examples.Note that while you may see a lot of green (new) content in the diff, in some cases, this is just because we’ve moved content around. It doesn’t necessarily mean that we’ve changed any of the language. For example, we made no changes to the wording of the restriction against malware and exploits. In addition, each of the standalone pages appear as new content but much is pulled directly from the existing Community Guidelines. The rest of the Community Guidelines will continue to provide general guidelines for how we expect users to interact in the GitHub space.
We also aimed to simplify language in many places. For example, where we used to say
is or contains x information, we now sayis x. This is not meant to narrow the scope of the restriction. Instead, we're looking to be more clear in how we communicate our policies.These updates will go into effect after the 30-day notice and comment period, on March 14, at 3pm PT.