All Vendors
platform

Github

Github deploys consent bypass infrastructure for platform integration features. Zero Oracle/Broker risk (development platform, not surveillance tool), but Counselor violations create liability for essential developer tooling.

17 IOCs2 detections50% pre-consent2 sites
70
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Github discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

2 detections across 2 sites50% pre-consent activity
CRITICAL

Pre-Consent Activity

Github was observed loading and executing before user consent was obtained on 50% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps
Customer Impact

What This Means For You

Engineering teams inherit consent liability for essential developer tooling with legitimate business purpose. Legal teams must defend privacy violations for platform that provides clear value (unlike pure surveillance vendors). Compliance teams face regulatory scrutiny for technical implementation, not business necessity.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Github

  • Audit Github integration: what functionality requires client-side script? (Login, widgets, marketplace)
  • Configure consent-first loading: delay Github script until consent banner interaction
  • Contact Github support: request documentation for privacy-compliant integration methods

If You're Evaluating Github

  • Verify business necessity: is client-side Github script required, or can functionality work server-side?
  • If pre-consent loading is unavoidable: document legitimate interest assessment under GDPR Article 6(1)(f)
  • Implement technical controls: load Github script only on pages where functionality is required (not site-wide)

Negotiation Leverage

  • Github creates consent liability through poor privacy implementation of legitimate developer tooling
  • Unlike surveillance vendors, Github provides clear business value - focus negotiation on technical architecture, not contract termination
  • Demand Github provide consent-first integration documentation or accept liability for current implementation
  • Legitimate interest defense possible under GDPR Article 6(1)(f) if functionality is essential and no privacy-safe alternative exists - document assessment
Runtime Detections

Runtime Detections

1 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Platform integration loads before user consent opportunity, creating per-visitor GDPR Article 7 violation. Developer tool context does not exempt from consent requirements - ePrivacy Directive applies to all cookies/scripts regardless of purpose.

IOC Manifest

IOC Manifest

8 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

No indicators in this category

Ecosystem

Ecosystem & Supply Chain

Github operates as developer platform, not surveillance vendor. Integration likely for repository widgets, OAuth login, or marketplace features. Unlike advertising/analytics consent bypass (clear violation), developer tooling creates gray area - legitimate functionality implemented with poor privacy architecture.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

17 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details