Feb 28, 2020 newsletter

GitHub transparency report reveals growing government interference

GitHub transparency report

GitHub announced the latest version of its transparency report, a yearly compilation of takedown and information requests sent by governments, law enforcement agencies, and companies around the world.

The report reveals the growing importance of GitHub—the world’s largest developer community—as a content moderator and intelligence source.

Law enforcement is sending more criminal requests. In 2019, GitHub processed 218 requests to disclose user information, more than three times as many as in 2018. Those disclosures affected 385 GitHub accounts.

Many of the requests that GitHub received were highly secretive: gag orders prevented GitHub from notifying all but six users.

Governments are censoring more content. GitHub received 16 takedown requests to block or remove user content from three countries—8 from Russia, 6 from China, and 2 from Spain.

That resulted in 54 projects being blocked—a sixfold increase in the number of affected projects between 2018 and 2019.

Developers still face copyright issues. In accordance with the Digital Millennium Copyright Act, GitHub saw fewer total DMCA takedown notices last year, but a 21% spike in the number of repositories affected. Specifically, GitHub received 1,762 takedown notices that resulted in 14,320 projects being permanently removed.

Why it matters: With more than 40M developers and over 100M repositories, GitHub stores and protects lots of valuable content, code, and data. It’s importance to governments and law enforcement continues to grow over time.

Bug bounty programs explode in popularity—with money


HackerOne, the world’s largest bug bounty platform, released its 2020 Hacker Report detailing the growth of the hacker community over the last year using data from its community of 600,000 developers.

Lots of hackers are making lots of money. The number of developers on the HackerOne platform doubled over the last year. Companies are signing up, too: HackerOne now boasts more than 1,700 customer programs.

Developers earned nearly $40M in bounties in 2019—almost as much as all preceding years combined. So far, seven hackers have passed $1M in lifetime earnings. Not bad.

Want to become a hacker? Many are self-taught, learning in their spare time. About 84% of developers said they learned hacking techniques through online resources and self-directed materials and nearly 60% of developers hack as a hobby or in their free time.

Those skills can be put to use elsewhere. Within the HackerOne community, 78% of hackers acknowledged using their hacking experience to help them find or better compete for a career opportunity.

Governments are actually leading the way. Government-led hacker-powered security programs grew 214% over the last year. In 2019 alone, HackerOne launched 22 programs and 36 altogether since 2016 with governments in North America, Asia and Europe.

In the US, the Department of Defense has been a leader in the bug bounty platform, partnering with HackerOne to help run Hack the Pentagon, Hack the Army, and Hack the Air Force.

Still, not all bugs get reported. Almost two-thirds (63%) of hackers say they’ve found bugs and not reported them—a result of threatening legal language, complicated reporting processes, and unresponsive companies. HackerOne shows that the world is beginning to embrace developer-led bounty programs, but much work is left to be done.

Tech debt is a giant problem for developers

Tech debt

CodeAhoy, a popular developer blog, asked its community to share their experience with tech debt and its impact on software development. Developers revealed that tech debt is a growing problem that receives too little attention by most engineering teams.

Most teams have lots of tech debt. A majority of developers—about 68%—said they worked on products with high or very high amounts of tech debt.

A mere 5% of developers said their product had low amounts of tech debt. Not a single developer said their codebase contains no tech debt.

It makes developers want to quit. While tech debt can impede development velocity and release frequency, it also has a serious negative impact on developer morale and retention. According to the survey, 50% of developers said they were likely or very likely to leave their jobs because of tech debt.

Who’s at fault? Most developers blame management for ballooning tech debt. A full 80% of developers believed their managers were aware of their tech debt problem, but either didn’t care or didn’t have a plan to fix it. Just 16% of developers felt that management was actually working to pay off tech debt.

Zoom out: For many engineering teams, tech debt can constrain both financial and developer resources. By some estimates, developers spend 13.5 hours managing technical debt and 3.8 hours dealing with bad code every single week—which equates to a nearly $300B loss in global annual GDP.

For technology companies—and the developers that power them—tech debt is a worsening problem, but one that seems unlikely to be solved soon.

Attacks on APIs are accelerating

API attacks

New data from Akamai, a cybersecurity and cloud service provider, showed that one in every five attempts to gain unauthorized access to user accounts is done through APIs.

That’s a notable shift from more traditional methods that use user-facing login pages, and indicates the growing importance of APIs in modern development—and security.

APIs are targeted more frequently. Between 2018 and 2019, Akamai observed 85.4 billion credential abuse attacks against companies that use its services. Many attacks involved credential stuffing—a brute-force attack using a list of leaked credentials to try to gain access to accounts.

About 20% of those attacks, roughly 16.5 billion, specifically targeted API endpoints.

Why APIs? Getting user information from user-facing apps and web pages can be tedious or cumbersome for malicious actors. APIs, however, return data in a structured and standardized format, making it easy to automate large-scale attacks.

API usage and adoption is growing, too. More companies are building APIs as core parts of their development stacks, potentially opening up new ways to gain unauthorized access to company data.

Financial services are particularly vulnerable. In Europe, regulation requires that financial institutions make their customers’ data accessible through APIs, according to the Payments Services Directive (PSD2). Combine the value of banking data with the convenience of APIs, and financial institutions become obvious targets. By some estimates, financial services were exposed to a staggering 473 million credential stuffing attacks over the last two years.

What to do? Developers should add rate limiting to products for authentication attempts. Developers can also make sure that error responses from APIs don’t disclose information about an account—especially whether or not an account actually exists.

Small bytes

  • Microverse, a startup using Income Share Agreements to teach students in the developing world how to code, raised $3.2M in seed funding. While ISAs have a checkered history in the US, many hope they can bring lucrative development jobs to all regions of the world [TECHCRUNCH]
  • Firefox began its rollout of encrypted DNS over HTTPS (DoH) by default for US-based users. The move encrypts more web traffic to prevent spying by DNS providers [MOZILLA]
  • Hasura, a startup building an open source engine to connect databases and microservices to create production-ready GraphQL backends, announced that it raised nearly $10M in funding. GraphQL is changing the API landscape, giving developers a new powerful tool for easy data querying [SILICON ANGLE]
  • The Clojure community released its State of Clojure report detailing how the language has grown over the last few years. Since 2010, a growing percentage (roughly 70%) of Clojure developers are using the language at work [CLOJURE]
  • The iOS Developer Community Survey was released this week. The report is the largest survey of Apple platform developers ever undertaken [IOS DEV SURVEY]


  • Lazygit is a simple terminal UI for git commands [GITHUB]
  • Destiny is Prettier for file structures [GITHUB]
  • Goxygen lets you generate a Full Stack Web project with Go, React, and MongoDB in seconds [GITHUB]
  • GUIJS is an app that helps you manage JS projects with a graphical user interface [GUIJS]
  • Panolens is a lightweight and flexible event-driven and WebGL based panorama viewer [PANOLENS]
  • Metacode is a VS Code extensions that lets you search your codebase in natural language [METACODE]
Never miss the big news

Every week, our team will send you three of the most important stories for developers, including our analysis of why they matter. Software development changes fast, but src is your secret weapon to stay up to date in the developer world.

Featured articles
Made with by Software. Read more about our mission.