Access credentials, such as user names along with passwords, access tokens, or other sensitive secrets that can grant access to your organization's server, network, or domain.

I wonder if someone posted a dump of leaked passwords on GH, will it be considered as sensitive information and then censored? Also, what if someone claimed that a some popular pair of tokens, for example readme and md are a login and a password for their super-secret computer? Would all these repos be censored automatically untill the owners disputed?

I guess that in the case of disclosure of credentials the company/person must just immediately change them. It's not the situation to apply censorship.

Documentation (such as network diagrams) that pose a specific security risk for an organization.

Does reverse-engineered documentation pose a security risk? For example someone have developed an exploit and posted an article about how he did it on GH. Because this docs contains info about some vuln, some orgs may say that it is security critical for them.

I vote against this proposal.

Please pull if it in my system

@KOLANICH These are interesting hypothetical questions. In general, we don't answer hypothetical questions here, because we can't generally tell whether or not a hypothetical situation would or would not be a violation of our policies before it happens.

However, nothing is automatically removed, and we don't censor content. This is a procedure for organizations or individuals to send us requests if they find content that they believe is sensitive, and we review each of those requests to determine whether or not the content meets our definition of sensitive data. Often, this is used when someone carelessly includes a password or token in code they upload to GitHub, which could result in major security breaches.

As the policy states, content governed by our Community Guidelines, such as malware development or general-purpose tools, is not appropriate for removal under this policy.

@nsqe, thank you for the answer.

About leaked passwords and other credentials. When a password is published in public and someone/thing (for example Google or Wayback Machine) have accessed it, a one cannot be sure that the one have accessed it haven't made an own copy. I mean that the best owners can do is to change the compromised credentials as soon as possible, in this case they don't need takedowns. Taking in account that the requests are processed by humans, it should usually be faster to change the credentials. So could you please amend the policy with some words about that GH is not going to take down the credentials which are already changed or can be changed fastly and easily and credential takedown should be used for exceptional cases like leak of credentials for accessing portals of overbuerocratized government orgs where changing credentials is a long process with delivery of physical objects like papers or smartcads involved ONLY?