OpenSSF Warns of Reputation Farming Leveraging Closed GitHub Issues and PRs

OpenSSF sent an alert via its Siren mailing list this week about the objectionable practice of reputation farming, which members have recently observed happening on closed GitHub issues and PRs. The mailing list is used for real-time threat intelligence updates but also to raise public awareness about security issues and practices in the open source community.

Reputation farming is a means of artificially inflating one’s status or credibility within a community by manipulating interactions and contributions. This can undermine the integrity of the platform by misleading others about the individual's actual contributions and expertise. It could also be the opening act of for a social engineering attack.

Participants in the discussion on OpenSSF’s Slack channel reported that suspicious and spammy accounts have been commenting on and approving issues and PRs that were closed/merged over a year ago. This results in the GitHub user having a contribution on their activity feed that shows they have approved a merged PR to various high-profile projects.

It also appears to be an issue of spam, where these accounts attempt to make useless contributions in order to gain reputation. This can negatively impact maintainers, draining time that could be put towards more productive efforts, especially if the spam campaigns get automated to scale into a more widespread issue.

“Reputation farming may seem benign, but in the wake of a number of recent incidents, OSS maintainers are recommended to have increased awareness of anyone attempting to gain trust illegitimately,” OpenSSF Ecosystem Strategist Bennett Pursell said.

Those who have encountered these accounts have reported them to GitHub and have also filed a bug report so that reviews like this one will not count in users’ contribution stats.

GitHub has already navigated several spam campaigns targeting open source projects in 2024, with the tea.xyz crypto spam polluting repos with garbage PRs in March, and the February incident where job seekers inundated the Express.js repo with spam PRs.

How to Deter Reputation Farming in Your Repos#

OpenSSF recommends open source maintainers employ three strategies for deterring reputation farming in their repos:

• Monitor repository activity and report users who take part in this behavior.
• Lock old issues and pull requests / discussions.
• Consider using a GitHub Action to lock closed issues, pull requests and discussions after a period of inactivity.

Unfortunately, the necessity for these manual actions results in more work for open source contributors and maintainers. The process of flagging these accounts as spam is tedious and time-consuming.

OpenSSF has not seen the reputation farming lead directly to attacks but warns open source maintainers to be vigilant about not letting their repositories lend these accounts credit for their illegitimate spam contributions.