Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 25 Jun 2024 12:15:47 -0700
From: Alan Coopersmith <>
Subject: Fwd: [siren] Reputation Farming Using Closed Github Issues / PRs

-------- Forwarded Message --------
Subject: [siren] Reputation Farming Using Closed Github Issues / PRs
Resent-Date: Mon, 24 Jun 2024 15:29:38 -0700
Date: Mon, 24 Jun 2024 18:29:26 -0400
From: Bennett Pursell <>

Closed Github Issues / Pull Request Activity
Reputation Farming Using Closed Github Issues / PRsCVE ID (if applicable):


Maintainers have reported in discussions on OpenSSF's Slack suspicious
activity in OSS repositories especially in Github against closed issues and
Pull Requests.  This includes commenting or approving on these closed
items.  This can lead to the accounts at question being able to pad their
Github account reputation by seeming to have contributed to those projects.

Reputation farming may seem benign, but in the wake of a number of recent
incidents, OSS maintainers are recommended to have increased awareness of
anyone attempting to gain trust illegitimately.

TTPs/IoCs (if applicable)


    Long-closed and approved Pull-Requests and issues being approved again
    or commented on by users who are not members or contributors to projects

    Non-contributors with no real involvement in projects show seemingly
    significant involvement in OSS projects

Recommended Actions:


    Monitor repository activity and report users who take part in this

    Lock old issues / pull requests / discussions

       Github actions exist to do this automatically after a set period of

Known to be actively exploited?

Yes for reputation farming, further use of this for attacks unknown
Date Added:

June 24, 2024
Resources & Notes


    Discussion on OpenSSF Slack:

       Join the OpenSSF Slack:

    Example of existing Github Actions to lock old threads:


Bennett Pursell

Links: You receive all messages sent to this group.
View/Reply Online (#1):
Mute This Topic:
Group Owner:
Unsubscribe: []

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.