Microsoft removed from GitHub code ( copy ) with a prototype exploit demonstrating how a critical vulnerability in Microsoft Exchange works. A similar action caused indignation many security researchers, as the exploit prototype was published after the patch was released, which is common practice.
Later, GitHub representatives commented removal by the presence in the GitHub rules item , which prohibits placing malicious code or exploits in repositories. However, this rule has not previously been applied to code prototypes posted by researchers that have been published to parse attack methods after a patch was released by the vendor.
Since such code is usually not removed, GitHub’s actions were perceived as using an administrative resource by Microsoft to block information about a vulnerability in its product. Critics have accused Microsoft of double standards and censoring content of great interest to the security research community simply because the content is detrimental to Microsoft’s interests. According to the opinion of a member of the Google Project Zero team, the practice of publishing exploit prototypes is justified and the benefits outweigh the risk, since there is no way to share with other specialists results of security research so that this information does not fall into the hands of intruders.
Researcher from Kryptos Logic tried to object by pointing out that in a situation where there are more than 50 of thousands of non-updated Microsoft Exchange servers, publishing exploit prototypes ready for attacks looks questionable. The harm that early publication of exploits can cause outweighs the benefit for security researchers, as such exploits endanger a large number of servers on which updates have not yet been installed.