It wasn’t a good day, particularly for the open source community, when the news spread several years ago that none other than Microsoft – the Bill Gates-founded original Big Tech bully and monopoly – would be acquiring the popular code-hosting startup GitHub.
Many feared Microsoft’s negative influence on the collaborative platform, that grew mostly thanks to being endorsed by the very open source community and products that the tech dinosaur in the past relentlessly tried to wipe off the map.
Despite reassurances, these concerns are still lingering, and there have been several incidents in the meanwhile concerning code removals which only served to reinforce them. And the latest piece of code to go MIA on GitHub has to do with Microsoft itself.
Namely, one of the things the giant is known for – other than its knack for antitrust violations and (apparently, past) distaste for free and open source, is the woeful security track record of its operating system, Windows, and associated services.
Now the company has managed to rattle the security researcher community as well, thanks to GitHub’s decision to remove researcher Nguyen Jang’s proof-of-concept (PoC) exploiting a major Microsoft Exchange vulnerability, CVE-2021-26855.
(The flaw has already been patched so the publishing of the PoC posed no threat to anything but Microsoft’s reputation, as perhaps a reminder of the shaky security of its products.)
The code disappeared from GitHub quickly after a link to it – now broken – was posted on the researcher’s site.
GitHub, of course, is not the only place on the internet where people can publish code and maintain repositories. In fact, post-Microsoft acquisition, many migrated to the smaller competitor, GitLab.
But the move and the double standard attached to it – other PoCs and metasploits that don’t concern Microsoft but other companies are allowed to remain on GitHub – has given pause to many researchers, who have in the meantime adopted the platform as their default place to publish.
“Now that it’s become the standard for security pros to share code, they have elected themselves the arbiters of what is ‘responsible.’ How convenient,” Google security researcher Tavis Ormandy commented on Twitter.
As for Microsoft, it is yet to offer any comment of its own regarding the situation.