The agreement prohibits uploading, hosting, or transmitting malicious code, and also prohibits using GitHub infrastructure as part of any system designed to deliver or amplify cyberattacks, including command-and-control infrastructure.
This analysis describes what GitHub's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision prohibits not only direct malware hosting but also the use of GitHub repositories or infrastructure as attack support systems, which has particular relevance for security researchers whose dual-use tools or proof-of-concept exploit code may be assessed under this restriction.
Interpretive note: The scope of 'part of a system designed to deliver or amplify cyberattacks' is not precisely defined in the master AUP and requires reference to the subsidiary active malware and exploits sub-policy for further interpretive guidance, particularly for dual-use security tools.
Under this clause, hosting malicious code or using GitHub infrastructure to support cyberattack delivery or command-and-control operations is prohibited, and such content or accounts are subject to removal or suspension. Security researchers should note that dual-use tools and proof-of-concept exploit code may require evaluation against this provision and GitHub's specific security research policy.
How other platforms handle this
You may not automatedly crawl or query the Services for any purpose or by any means (including, without limitation, screen and database scraping, spiders, robots, crawlers and any other automated activity with the purpose of obtaining information from the Services) unless you have received prior exp...
relate to transactions involving (f) the promotion of hate, violence, racial or other forms of intolerance that is discriminatory or the financial exploitation of a crime... (i) involve offering or receiving payments for the purpose of bribery or corruption.
You must not, and must not allow others to: Facilitate illegal or harmful activity through the End User Services; Cause harm to us or others through the End User Services;
Monitoring
GitHub has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"You may not upload, post, host, or transmit any content that: contains malicious code, or is part of a system designed to deliver or amplify cyberattacks, including by providing infrastructure for hosting malicious content or command-and-control for attacks.— Excerpt from GitHub's GitHub Acceptable Use Policies
1) REGULATORY LANDSCAPE: This provision engages the Computer Fraud and Abuse Act (CFAA), which prohibits unauthorized access to computer systems and the distribution of code used to damage protected computers. It may also engage the Electronic Communications Privacy Act (ECPA) and relevant international cybersecurity frameworks. The Cybersecurity and Infrastructure Security Agency (CISA) and DOJ are the primary federal enforcement authorities for CFAA-related conduct. 2) GOVERNANCE EXPOSURE: Medium. The phrase 'part of a system designed to deliver or amplify cyberattacks' introduces interpretive complexity for legitimate security research, penetration testing tools, and educational exploit repositories. GitHub maintains a separate sub-policy on active malware and exploits that provides additional definitional guidance, but the master AUP's prohibition language is broad. 3) JURISDICTION FLAGS: EU jurisdictions under the Network and Information Security (NIS2) Directive impose obligations on platform operators regarding cybersecurity incident management that may interact with this prohibition. US federal and state computer fraud statutes vary in their treatment of dual-use security tools. 4) CONTRACT AND VENDOR IMPLICATIONS: Organizations in the cybersecurity industry hosting vulnerability research, exploit proof-of-concept code, or offensive security tooling on GitHub should assess whether their repositories could be characterized under this provision. Procurement teams at security firms should review GitHub's active malware and exploits sub-policy alongside this master prohibition. 5) COMPLIANCE CONSIDERATIONS: Security research teams should review GitHub's subsidiary active malware and exploits policy for definitional guidance on what constitutes prohibited attack infrastructure versus permissible dual-use security tooling. Responsible disclosure workflows and coordinated vulnerability disclosure repositories should be assessed against this provision.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision prohibits not only direct malware hosting but also the use of GitHub repositories or infrastructure as attack support systems, which has particular relevance for security researchers whose dual-use tools or proof-of-concept exploit code may be assessed under this restriction.
Under this clause, hosting malicious code or using GitHub infrastructure to support cyberattack delivery or command-and-control operations is prohibited, and such content or accounts are subject to removal or suspension. Security researchers should note that dual-use tools and proof-of-concept exploit code may require evaluation against this provision and GitHub's specific security research policy.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by GitHub.