We at GitLab believe the author did not responsibly disclose this security information in a proper manner, and today we removed the list of hosts in accordance with our terms of service (https://about.gitlab.com/terms/).
The author says that he contacted "about 30 merchants directly", but the published list includes over 1000 merchants. Most merchants were neither informed nor given a chance to respond in a timely manner. We did not feel comfortable hosting information that could be construed as an open invitation for malicious users to exploit.
This is completely unacceptable. You're treating this as though the author was publishing a list of vulnerabilities about sites. That's not what the author did. The author published a list of sites that are already infected with malware and thus are dangerous for users to visit. This is a public service and there is zero expectation of "responsible disclosure" to the sites. The only thing that disclosing to the sites without telling the public does is protect the reputation of the site, but there's no expectation for anyone to try and protect the reputation of sites that are serving malware.
> We did not feel comfortable hosting information that could be construed as an open invitation for malicious users to exploit.
The sites were already exploited. That's the thing. At best I can see the argument you're making being "we don't want the sites to get exploited a second time", but that really shouldn't be a concern. The sites were already exploited, there's nothing left to protect. And publishing a list saying "this site has malware on it" doesn't actually tell anybody how the site was vulnerable anyway, unlike disclosing security vulnerabilities which by their very nature informs people how to take advantage of them.
I agree. GitLab's reputation has taken a pretty big hit in my opinion. I kind of expected GitHub's reaction, but had hoped for something better from GitLab (if nothing else, just to differentiate themselves from their opposition).
I'm not sure if GL is trying to protect themselves against something and are making up some excuse to justify it but the reasons given for taken down the list don't hold water.
GL would be far better stating the real reason for taking the info down (surely there must be one).
So far what they've done is seemingly to protect the merchants reputation and perhaps protect GL from some imagined legal backlash? The backlash would have no basis is court or other services like Google's own SafeBrowing would not be viable.
Are we to assume the GL cares more about that than users/visitors to these sites?
The real reason is almost certainly something along the lines of 'it's possible we could get sued for libel' or 'we have been threatened with a libel suit'. Not that such a case would ever go anywhere, but I imagine they figure that it's more trouble than it's worth.
I'm not sure if responsible disclosure applies here. This isn't an unannounced 0-day that could in theory be in the hands of criminal elements. Responsible disclosure only works because there is a reasonable chance that an exploit is not already widespread.
> an open invitation for malicious users to exploit.
Malicious entities have already exploited these websites. This problem is widespread - over 1000 merchants. The author has not put the cart before the horse.
If I wanted to protect my family against this by installing uBlock Origin on their machines, could uBlock possibly be hosted somewhere where they wouldn't face this censorship? They have in the past temporarily blocked websites (e.g. Sourceforge adware) but have rapidly unblocked them when the issue is resolved; this has saved my bacon on numerous occasions.
I really appreciate the transparency here - kudos. You have your facts wrong.
What about the consumers who are being put at risk of being defrauded? Do they not have a right to protection? Malware infected ecommerce sites could be stealing credit card info and robbing consumers. Merchants who endanger consumers by failing to provide a secure platform for digital transactions do not have any right to be protected from having their negligence exposed.
A 'normal consumer' won't be helped by such a technical list on github/gitlab. Do you really believe they would look there? If they wanted protection they could have installed Ad-blockers etc. long time ago already. (Or use more reputable shops)
Lots of people google the name of a webshop to check if it's legit.
Not all, but some non-tech people do that..
And lots of webshop owners google their own shop. Shaming sites that are hosting malware seems perfectly reasonable.
On topic: I assume github/gitlab both completely misunderstood what is going on, and thought this was a disclosure of security holes that could be exploited.
I wouldn't be surprised if they do a lot of these.
Perhaps try to throw it up on a few different CDNs where you pay for the service and can contact support. Like S3 or dreamhost (they have decent support too). Arguably github/gitlab isn't the best hosting platform for misunderstood journalists.
How long is the author going to check and update that list of compromised websites? Right now they are broken but in 6 months when the site gets upgraded it will be a knock against them unless the author updates the list. This is the real problem.
So when GitLab finally bothers to respond they do so from a new account? Any proof this comes from GitLab?
Which terms specifically does it violate? The terms page you linked to is 10k words long.
As others have mentioned, this is not about responsible disclosure. If those merchants have the good of their customers to heart, they will act to cleanup their sites and disclose the breach themselves. If not they will move to censor this to avoid losing face, maybe not even bothering to remove the malware. And you're just helping them with this.
Don't you feel uncomfortable in making it harder for users to avoid websites with malicious software? It's definitely worth mentioning and explaining if you do.
According to the article, the stores were running malicious javascript which grabs people's credit card info. This obviously means they are vulnerable in some kind of way, but I fail to see how this is reasonably likely to be exploited. Even if it was, you also have to consider the benefit of warning the users.
I am not a security expert though, and I might be missing out on something.
The responsibility of GitLab and GitHub is not to investigate if those 1000 sites are indeed running malware and how dangerous the malwares on these sites are, and who could be harmed by these malwares.
The responsibility of GitLab and GitHub is also not to judge if it's "more important" to protect the site owners' businesses or the people going to the sites.
If some sites are running malware, the site owners are responsible for fixing it and not harming the people using their sites, not GitLab or GitHub.
On the contrary if site owners could be harmed by the name of their sites being on such list on GitLab or GitHub, then GitLab or GitHub are responsible according to the DMCA.
So GitLab and GitHub are just acting on what they are held responsible for according to the law.
Disclaimer: I am working as a contractor for GitLab and I am not a lawyer. I took no part in GitLab's decision to censor the list and this is just my own opinion.
> On the contrary if site owners could be harmed by the name of their sites being on such list on GitLab or GitHub, then GitLab or GitHub are responsible according to the DMCA.
Nope. DCMA is about copyright, and we have not gotten to the point where someones URL is copyrighted.
> It criminalizes production and dissemination of technology, devices, or services intended to circumvent measures (commonly known as digital rights management or DRM) that control access to copyrighted works. It also criminalizes the act of circumventing an access control, whether or not there is actual infringement of copyright itself.
These sites are actively participating in harming their users with their negligence. Users should have the ability to know which site is safe and which isn't.
I don't believe it is your place to do so. You have the right to, but you have no real reason to. You will suffer no consequences from removing that list.
Responsible disclosure works because companies are responsive to disclosure.
Full disclosure works because companies are negligent and they've been outed.
The author did contact said websites, it is their responsibility to fix the issue in a timely manner. Removing the content was akin to a newspaper removing stories relating to certain politicians to protect them. It is censorship.
I have to confess, when GH did something offensive I did cancel my paid account there but I still use it, so I guess I didn't care that strongly about it after all...
I don't even believe that. One or more merchants on that list threatened you with legal action so you took it down.
Even if your cover story is true, you are basically throwing users and banks under the bus to help merchants with dirty card readers continue business as usual. Meanwhile users will continue to be defrauded, and banks will have to take the hit when users complain about charges they didn't make.
You still screwed up handling things. Did you very they are actually vulnerable? Or are you hoping you got it right? Cause if the later you really shouldn't remove something you don't know anything about
The author says that he contacted "about 30 merchants directly", but the published list includes over 1000 merchants. Most merchants were neither informed nor given a chance to respond in a timely manner. We did not feel comfortable hosting information that could be construed as an open invitation for malicious users to exploit.