Willem de Groot published a list of web stores that contain malware. He first hosted this list on GitHub but it was deleted. Then he hosted it on GitLab where it was also deleted. The reason we gave him for the deletion was "GitLab views the exposure of the vulnerable systems as egregious and will not abide it.". Willem wrote about his experience in a blog post.
At GitLab we strongly believe in responsible disclosure, for examples of this see our policy or Hacker One's guidelines. So publishing a list of servers that are vulnerable or hacked without contacting the owner first and giving them time to remedy the situation is not OK.
But in this case the victim of the vulnerability is not only the owner but also the users of the web store. The owners of web stores have a responsibility to their users. And it is in the users interest to have the list published so owners fix their stores. We currently think that the interest of the user weights heavier. Therefore we reinstated the snippet.
Willem just tweeted about my phone call to him to apologise. Thanks for that!
We applaud Willem's effort to protect users from malware. We'll keep listening and will do our part to make the internet a more secure place for everyone.
