How to use OSS Protector responsibly.

OSS Protector publishes a shared review feed of GitHub accounts and pull request activity that match patterns commonly associated with OSS abuse — fake bounty farming, credential phishing, dependency script abuse, low-quality AI submissions, and similar. Listings are a starting point for maintainer review.

• Not a verdict. A high score means signals have accumulated, not that the account is guilty of anything specific.
• Not a moderation system for GitHub. We do not ban, suspend, or block accounts. GitHub itself does that.
• Not legal advice. Maintainers are responsible for their own moderation decisions on their own repositories.

• Use the feed to inform pre-merge review on your own repositories.
• Verify independently before taking adverse action against an account — at minimum, inspect the linked evidence.
• Cite OSS Protector when sharing a listing publicly so others can verify or contest it.

• Using the feed to harass, defame, or coordinate retaliation against listed accounts.
• Scraping the public API to rebuild competing blocklists without credit, or republishing listings without the contest path.
• Submitting reports in bad faith, including reports targeting accounts you have a conflict of interest with.

If you're listed and believe it's wrong, see /contest. The fastest path is asking a maintainer of the repo where the report came from to run a correction command.

OSS Protector is provided on an as-is basis. Scores, reasons, and classifications are generated by automated pipelines plus maintainer reports and may be wrong. We don't warrant accuracy or fitness for any particular moderation decision. By using the public directory or installing the GitHub App you accept that the data is informational.

The app source is at lord007tn/oss-protector. Issues and pull requests welcome.