15 KiB
Before disabling any content in relation to this takedown notice, GitHub
- contacted the owners of some or all of the affected repositories to give them an opportunity to make changes.
- provided information on how to submit a DMCA Counter Notice.
To learn about when and why GitHub may process some notices this way, please visit our README.
Are you the copyright holder or authorized to act on the copyright owner's behalf?
Yes, I am the copyright holder.
Are you submitting a revised DMCA notice after GitHub Trust & Safety requested you make changes to your original notice?
No
Does your claim involve content on GitHub or npm.js?
GitHub
Please describe the nature of your copyright ownership or authorization to act on the owner's behalf.
I am the [private] and [private] of the open-source project reNgine, an automated reconnaissance framework. reNgine is a widely used open source reconnaissance framework.
The project was initiated by [private] in 2020 and I have been the [private] since the beginning.
https://github.com/yogeshojha/rengine
Please provide a detailed description of the original copyrighted work that has allegedly been infringed. If possible, include a URL to where it is posted online.
The original copyrighted work is 'reNgine', an open-source reconnaissance framework created and maintained by [private] since 2020. reNgine is a web application reconnaissance framework that helps security researchers and penetration testers gather intelligence on target web applications.
reNgine is licensed under the GNU General Public License v3.0 (GPL-3.0), which allows for modification and distribution under certain conditions, including maintaining the same license and providing proper attribution. GPL also also allows forking.
The official repository for reNgine can be found at: https://github.com/yogeshojha/rengine
This repository contains all original source code, documentation, and contribution history. The project has been actively maintained and developed since 2020, with regular updates and contributions from the open-source community and [private].
The key components under GPL 3.0 license include:
- reNgine core application code
- Unique features developed for recon tasks
- Security vulnerabilities reported to reNgine
All of these components are original work, created either by myself or by our contributors who have submitted their work under the terms of GPL 3.0 license.
What files should be taken down? Please provide URLs for each file, or if the entire repository, the repository’s URL.
The entire repository at https://github.com/Security-Tools-Alliance/rengine-ng should be taken down due to repetative and systematic copyright infringement and violation of the GPL-3.0 license terms.
This repository, 'rengine-ng', is a fork of my original project that has copied substantial portions of code without proper attribution and has misrepresented the authorship of numerous contributions. The project claims to be a "detached" fork of my original work but has been actively involved in plagiarising the source code, security reports, github issues and feature requests and authoring them as their original work.
Specific examples of infringing content include, but are not limited to:
Copying code word-by-word verbatim and authoring as their original work:
-
This PR https://github.com/Security-Tools-Alliance/rengine-ng/pull/164/files copies code verbatim word-by-word from original reNgine pull request https://github.com/yogeshojha/rengine/pull/1306/files
-
https://github.com/Security-Tools-Alliance/rengine-ng/pull/147/files This pull request copies code verbatim from the original reNgine pull request: https://github.com/yogeshojha/rengine/pull/1340/files
-
https://github.com/Security-Tools-Alliance/rengine-ng/pull/141/files
This pull request copies code verbatim from a contribution by GitHub user pbehnke to the original reNgine project: https://github.com/yogeshojha/rengine/pull/1205
These examples represent only a fraction of the widespread copying. If you look at these PRs carefully, they have been copying the fixes from the original repo, authoring them as their work, and in some cases even copying the work of community members word-by-word and authoring them as their work. This is not allowed under GPL 3.0. The fork owners have copied substantial portions of code, including entire pull requests and security fixes, and presented them as their original work. This is a clear case of plagiarism and intellectual property theft.
More as to why this violated GPL 3.0 license has been provided in "How do you believe the license is being violated?" section.
Given the extent of the infringement and the misrepresentation of authorship, I am requesting that the entire 'rengine-ng' repository be taken down.
Do you claim to have any technological measures in place to control access to your copyrighted content? Please see our Complaints about Anti-Circumvention Technology if you are unsure.
No
Have you searched for any forks of the allegedly infringing files or repositories? Each fork is a distinct repository and must be identified separately if you believe it is infringing and wish to have it taken down.
I have searched for forks and identified the main infringing repository mentioned above. To my knowledge, there are no other forks currently engaging in similar infringement.
Is the work licensed under an open source license?
Yes
Which license?
reNgine is distributed under GNU General Public License v3.0 (GPL-3.0)
How do you believe the license is being violated?
My original work reNgine is licensed under GPL-3.0. While forking is a common practice in open source and GPL 3.0 allows that but there are numerous reasons why claimed "detached" fork project (https://github.com/Security-Tools-Alliance/rengine-ng) is not in compliance with the GPL-3.0 license for the following reasons
- Extensive Code Plagiarism: Substantial portions of code have been copied verbatim and falsely claimed as original work. This directly violates GPL-3.0's attribution requirements. Evidence includes
a. https://github.com/Security-Tools-Alliance/rengine-ng/pull/164/files This is a word-by-word copy of the PR from reNgine https://github.com/yogeshojha/rengine/pull/1306/files
b. https://github.com/Security-Tools-Alliance/rengine-ng/pull/147/files This is again word-by-word copy of the PR from reNgine https://github.com/yogeshojha/rengine/pull/1340/files
c. https://github.com/Security-Tools-Alliance/rengine-ng/pull/182/files This is again word-by-word copy of the PR from reNgine https://github.com/yogeshojha/rengine/pull/1313/files and https://github.com/yogeshojha/rengine/pull/1328/files
d. https://github.com/Security-Tools-Alliance/rengine-ng/pull/180/files is a word-by-word copy of the PR https://github.com/yogeshojha/rengine/pull/1296/files
e. https://github.com/Security-Tools-Alliance/rengine-ng/pull/141/files This is again word-by-word copy of the PR from reNgine https://github.com/yogeshojha/rengine/pull/1205/files
This is a work of our community member. The commitor has authored these commits from community member's work and claims to be their original work. No attribution whatsoever.
In all these cases, the commits are falsely authored as original work by the fork's maintainers.
These examples represent only a fraction of the widespread copying. If you look at these PRs carefully, they have been copying the fixes from the original repo, authoring them as their work, and in some cases even copying the work of community members word-by-word and authoring them as their work. This is not allowed under GPL 3.0. The fork owners have copied substantial portions of code, including entire pull requests and security fixes, and presented them as their original work. This is a clear case of plagiarism and intellectual property theft and violation of GPL 3.0.
- Misappropriation of Community Contributions: GitHub issues, including critical security reports, have been duplicated word-for-word and presented as their original work. The fork has copied verbatim and misattributed work contributed by community members to the original reNgine project. This not only violates GPL-3.0 but also infringes on the intellectual property rights of individual contributors and the trust of our community. For Examples:
a. Security vulnerability reported to us by one of the community members has been duplicated word-by-word Copied and authored as original in a fork: https://github.com/Security-Tools-Alliance/rengine-ng/issues/179 which was originally submitted by one of our community member to reNgine https://github.com/yogeshojha/rengine/issues/1185. This is a work of [private] and yet again no attribution to the original author. This violates not only GPL-3.0 but also infringes on individual contributors' intellectual property rights.
b. Security fix duplicated word-by-word: This security fix PR https://github.com/Security-Tools-Alliance/rengine-ng/pull/180/files is a word by word copy of the fix deployed in reNgine and falsly authored by the forked project from https://github.com/yogeshojha/rengine/pull/1296/files
c. Critical security bug fix duplicated yet again: This security fix https://github.com/Security-Tools-Alliance/rengine-ng/pull/2/files is yet again word-by-word copy of the original fix https://github.com/yogeshojha/rengine/pull/1227/files
There are several other instances, not limited to this. These actions go far beyond simple license non-compliance. They represent a systematic and deliberate misappropriation of others' intellectual property including but not limited in the form of code, security research (reports), GitHub issues, pull requests, etc.
-
Violation of GPL-3.0 Attribution Requirements: GPL-3.0 Section 5(a) requires that modified files carry "prominent notices stating that you changed the files and the date of any change." The infringing project has consistently failed to provide these notices, instead presenting copied work as original.
-
Disregard for Formal Cease-and-Desist: On August 27, 2024, I sent a formal cease-and-desist email. The fork owners not only ignored this but continued their infringing activities, demonstrating willful and ongoing violation. For instance, https://github.com/Security-Tools-Alliance/rengine-ng/issues/179 was copied after receiving my email.
-
Violation of Open Source Principles:
Their actions demonstrate a complete disregard for the collaborative spirit of open source. They've ignored not just the license GPL-3.0, but its underlying principles of fair usage and its attribution, transparency, and community respect.
In None of these many security reports, commits, code, and issues they mention the original author, for example, the copied security issues, the rightful owners are the security researchers that reported to the original repo, and nowhere they are mentioned. In the formal email sent to the project owner, I mentioned that "the contributions that authors have submitted to reNgine in the form of code, issues, security report, and fixes are their work" and cannot be copied. but the repo owner continued to do so in several attempts.
However, given the extensive and deliberate nature of these violations, especially the false claiming of authorship, I strongly believe that the complete removal of the infringing repository is the only appropriate action. These actions demonstrate a fundamental disregard for open source principles, individual contributors' rights, and the integrity of the development process. This is not a case of oversight, but a ongoing pattern of intellectual property theft and license violation under which reNgine is distributed.
The GPL-3.0 license allows for forking and modification, but it for sure does not permit the wholesale copying of others' work and falsely claiming it as one's own. Given the extensive nature of these infringements, particularly the consistent false claiming of authorship and removal of copyright notices, I strongly assert that complete removal of the infringing repository is the only appropriate action to remedy these GPL-3.0 violations and protect the rights of reNgine and its contributors.
What changes can be made to bring the project into compliance with the license? For example, adding attribution, adding a license, making the repository private.
This is beyond just adding attribution, it was a clear case of plagiarism which GPL 3.0 does now allow.
Their actions have demonstrated they cannot be trusted to maintain a legitimate fork with proper attribution.
However if they decide to maintain this, in compliance with GPL 3.0 I recommend the following:
Complete Code Review and Rewrite:
The entire codebase would need to be thoroughly reviewed. Any code directly copied from reNgine or its contributors must be removed completely rewritten from scratch, esp that it has mentioned as a "detached" fork
Community Contributions:
All issues, pull requests, and security reports copied from reNgine must be removed.
Public Acknowledgement and Correction:
The project maintainers should issue a public statement acknowledging the previous license violations and detailing the steps taken to correct them. I recommend reaching out to all affected contributors whose work was falsely copied word-by-word and make necessary amends.
Temporary Repository Privacy:
While these changes are being implemented, the repository should be made private to prevent further distribution of infringing content.
Given the willful and pervasive nature of the violations, including the continued infringement after a formal cease-and-desist notice, I have serious doubts and concerns about the project maintainers' willingness or ability to bring the project into compliance. The most appropriate action remains the complete removal of the infringing repository.
What would be the best solution for the alleged infringement?
Reported content must be removed
Do you have the alleged infringer’s contact information? If so, please provide it.
[private]
I have a good faith belief that use of the copyrighted materials described above on the infringing web pages is not authorized by the copyright owner, or its agent, or the law.
I have taken fair use into consideration.
I swear, under penalty of perjury, that the information in this notification is accurate and that I am the copyright owner, or am authorized to act on behalf of the owner, of an exclusive right that is allegedly infringed.
I have read and understand GitHub's Guide to Submitting a DMCA Takedown Notice.
So that we can get back to you, please provide either your telephone number or physical address.
[private]
[private]
[private]
Please type your full legal name below to sign this request.
[private]