GitHub security updates and Copilot expansion make waves
New features unveiled at GitHub Universe include private channels for security issues and Copilot for business, which may fall under a cloud of ongoing litigation.
Developers can now help shore up GitHub security by reporting vulnerabilities using private channels, while proposed Copilot enhancements amid copyright litigation are also creating buzz at GitHub Universe.
Up to this point, open source maintainers on GitHub received security reports via a variety of public channels such as Twitter. That meant bad actors had an opportunity to exploit issues before maintainers could apply a fix. Private reporting hides vulnerabilities from the public eye, which could prevent zero-day attacks that target flaws as soon as they are publicized.
Private vulnerability reporting, launched in an open beta this week, allows maintainers to opt in to a private communications channel where GitHub users can disclose and collaborate with them to resolve security issues, said Justin Hutchings, director of product management at GitHub.
GitHub is the largest independent issuer of Common Vulnerabilities and Exposures, supporting any open source project on GitHub. There's a lot of demand for an easier way to connect researchers and maintainers, however, Hutchings said.
Private security disclosure is a good idea, provided the GitHub community follows through with using it, said one industry expert.
Private vulnerability reporting will keep the good actors a step ahead of bad actors and reduce risk to the software community. The challenge will be to encourage those reporting vulnerabilities to use secret channels.
Larry CarvalhoPrincipal consultant, Robust Cloud
"Any tool that reduces the application security risk speeds up innovation," said Larry Carvalho, principal consultant at Robust Cloud. "Private vulnerability reporting will keep the good actors a step ahead of bad actors and reduce risk to the software community -- the challenge will be to encourage those reporting vulnerabilities to use secret channels."
A system that monetarily rewards this behavior might speed up the adoption process, Carvalho added. HackerOne, which creates and manages bug bounty programs, is one option that GitHub should consider to encourage participation, he said.
GitHub has no plans for a financial incentive structure for private vulnerability reporting, according to a GitHub spokesperson, but the company is working with members of the open source and security research community to gather feedback on this and other topics as the platform rolls out.
GitHub Copilot expansion plans face litigation challenge
Other GitHub Universe news this week included a licensed version of Copilot with admin controls for business and a voice-to-code tool called Hey, GitHub! But industry and legal experts warned the company's response to a class-action lawsuit alleging Copilot copyright infringement might affect this roadmap.
"Copilot for business is a good step forward, but large enterprises should ensure that piracy lawsuits do not affect them," Carvalho said. "One option would be to ensure the agreements with GitHub or [parent company] Microsoft give the customers indemnity from lawsuits."
A GitHub spokesperson said the company will continue to develop Copilot responsibly but declined to comment on whether it will offer indemnity to enterprise customers.
It doesn't make any sense for GitHub or Microsoft to get involved with indemnity at this point, according to attorney Aron Solomon, head of strategy and chief legal analyst at Esquire Digital. However, enterprise developers will expand an enterprise's risk profile if they knowingly provide software that may not be fully compliant with intellectual property law, he said.
A 2016 case may shed some light on the GitHub Copilot lawsuit, according to Solomon. In that case, study guide creator DynaStudy Inc. in Marble Falls, Texas, sued the Houston Independent School District after a group of school district employees redistributed unauthorized copies of a study guide with cropped-out or covered-up copyright warnings and logos. A federal jury found in 2019 that the employees had violated intellectual property law and ordered the school district to pay $9.2 million in damages.
An opinion piece on the decision, attributed to policy attorney Krista L. Cox, noted that willful blindness to copyright law -- for example, where employees know that the resources they distribute are subject to copyright -- does not go over well in copyright cases.
This case carries implications for enterprise use of copyrighted code as well, Solomon said.
"Big companies with deep pockets are going to sometimes do a good job at following intellectual property rules," Solomon said, "And at other times, they're going to do an abysmal job and be sued for far more than licensing ever would have cost them."
Although a release date has not been set, enterprises interested in the business updates to GitHub Copilot can sign up for the wait list.
Finally, GitHub envisions future iterations of the experimental Hey, GitHub! voice-to-code tool will give early-career developers who are still learning how to code an alternative interface that potentially doesn't require them to understand all the details of code syntax.
Hey, GitHub! might see adoption if developers see an acceleration in writing code through voice commands, but it might be slow to pick up traction, Carvalho said.
"Even if return on investment is delivered, I do not perceive large-scale adoption happening in the short term, i.e., one to two years," he said. "However, there may be value for developers with disabilities."
GitHub also has a wait list for Hey,GitHub! on its website.
Private vulnerability reporting keeps security issues away from the public eye.
