Plain-English risk rating: 4 of 5 (Free/Pro/Pro+) / 2 of 5 (Business/Enterprise)

GitHub Copilot Free, Pro, and Pro+ sit at 4 of 5 — higher than the other paid-tier consumer AI products in this database. The April 24, 2026 policy change flipped these tiers from opt-in to opt-out for training, the change was announced 30 days in advance via a blog post and changelog (not via in-product notification), and the community response on GitHub's own changelog was overwhelmingly negative (59 thumbs-down votes vs 3 supportive). The underlying product is also at high risk for the canonical AI-development-tool problem: prompt injection that exfiltrates private repository code, exemplified by CamoLeak (CVE-2025-59145, CVSS 9.6) — silently steals source code and secrets from private repos.

Business and Enterprise tiers sit at 2 of 5. Both are contractually exempt from training (and that exemption was reaffirmed during the April 2026 policy change). The underlying vulnerability surface (prompt injection, output validation flaws) still applies, but the contractual data-handling defaults are genuinely enterprise-grade.

This is the first vendor in this database where the consumer-tier rating moved upward (toward higher risk) during 2026 due to a policy change. Previously GitHub Copilot Pro was a reasonable choice for individual developers. After April 24, 2026, it requires active opt-out to remain so.

Recommended for

Sole proprietor developer: Opt out of training in Copilot settings immediately (link below). Or move to Copilot Business at $19/user/month — exempt from training by contract, and the price gap is small for a self-employed developer doing client work
Small team (2-10 developers): Copilot Business ($19/user/month) is the right tier. The $9/month savings vs Pro per developer is not worth the policy uncertainty and the contractual training exclusion
Regulated industry: Copilot Enterprise with SAML SSO, audit logging, and content exclusions configured. Use the IP indemnification clauses where applicable
The honest answer for any business with proprietary code: Stop using Copilot Pro/Free/Pro+ for work today. Either opt out manually (and accept that the policy may change again) or upgrade to Business. The cost of one developer accidentally exposing proprietary code is much higher than the $9-19/user/month upgrade

What changed on April 24, 2026

GitHub announced on March 25, 2026, that interaction data from Copilot Free, Pro, and Pro+ users would be used to train AI models by default starting April 24, 2026. The previous policy (from the launch of Pro through March 24, 2026) required opt-in consent.

Specifically, the new default policy uses for training:

Prompts sent to Copilot
Approved or edited Copilot outputs (code completions, chat answers)
Code snippets and surrounding context from your editor
File context and project context

This applies to work in private repositories as well as public ones, for the affected tiers.

Business and Enterprise tiers are exempt by contract — the April 24 change explicitly does not apply to them.

To opt out (must be done explicitly on the affected tier):

Click your profile picture in GitHub
Settings → Copilot
Under Privacy, find "Allow GitHub to use my data for AI model training"
Toggle to Disabled
Reload to verify the change persisted

There is no per-repository control; the toggle applies to the entire account.

Note: If you previously disabled the older "prompt and suggestion collection" setting, your preference should have carried over without action needed. But verify, because policy transitions sometimes reset preferences.

GitLab and other competitors have publicly used this change to position themselves as more privacy-friendly. The community response on GitHub's own announcement was sharply negative — particularly from Pro and Pro+ users paying $10-39/month who felt that paying customers should not be opt-out targets.

Data retention default

Free/Pro/Pro+ (post-April 24, 2026): Interaction data used for training unless opted out. Specific retention periods for non-training storage not prominently disclosed
Business/Enterprise: No training use of customer data; standard GitHub data retention applies (per Enterprise contract)
Copilot Chat history: Retained per user account preferences

Training opt-out

Free, Pro, Pro+ — TRAINING IS ON BY DEFAULT as of April 24, 2026. Opt-out is straightforward but requires action.

Business, Enterprise — TRAINING IS CONTRACTUALLY EXCLUDED BY DEFAULT. No user-side toggle needed.

Important distinctions:

The opt-out applies if you are signed in with your personal account. If you are signed in via a Business/Enterprise license (typically via SAML SSO through your employer), your data is covered by the Business/Enterprise contract terms regardless of the personal Pro toggle
A Pro user who happens to work at a company with a Business license is NOT automatically protected by that license — they must use the Business-licensed Copilot through the Business account
Data used for training may be shared with GitHub's affiliated companies including Microsoft

Zero Data Retention availability

Not offered in the same form as the OpenAI / Anthropic / Perplexity API ZDR
The Business/Enterprise contract excludes training but does not eliminate data retention entirely (logs are retained for service operation, abuse monitoring, and audit purposes per the standard GitHub data lifecycle)

Plan tiers and pricing (as of early 2026)

Tier	Price (USD)	Training on your data?	Suitable for
Free	$0 (limited usage)	Yes, unless opted out (post-April 24, 2026)	Personal experimentation; not for proprietary work
Pro	$10/month	Yes, unless opted out (post-April 24, 2026)	Personal projects; opt out for client work
Pro+	$39/month	Yes, unless opted out (post-April 24, 2026)	Heavy individual use; same caveats
Business	$19/user/month	No — contractually excluded	Small teams (best value for business use)
Enterprise	$39/user/month	No — contractually excluded	Larger organisations needing SAML, audit, content exclusions

The Pro vs Business pricing gap is only $9/user/month, which is the smallest "upgrade to commercial tier" gap of any AI product in this database. For any business use, the upgrade is a clear privacy-per-dollar win.

Jurisdiction

Primary processor: GitHub, Inc. (Microsoft subsidiary), San Francisco, California, USA
Cloud infrastructure: Primarily Microsoft Azure
Pre-inference prompt screening proxy hosted in Microsoft Azure (per Microsoft's GitHub Copilot security architecture documentation)
EU Data Boundary considerations apply to Business and Enterprise tiers with appropriate configuration

Breach history (public incidents)

June 2025 / disclosed October 2025 — CamoLeak (CVE-2025-59145, CVSS 9.6)

Legit Security researcher Omer Mayraz discovered a critical vulnerability in GitHub Copilot Chat that allowed silent exfiltration of source code and secrets from private repositories. The attack combined remote prompt injection (via GitHub's "invisible comments" feature in pull request descriptions) with a novel Content Security Policy bypass that abused GitHub's own Camo image proxy service.

How it worked: The attacker embedded a hidden prompt in a pull request description (using invisible HTML comments). The prompt instructed Copilot Chat — when invoked by any victim user reading the PR — to locate sensitive information in the victim's private repositories (AWS keys, API credentials, source code containing zero-day descriptions) and then "render" that data as a sequence of invisible images using pre-generated Camo proxy URLs. Each image request from the victim's browser to the attacker's server leaked one character of the sensitive data. The full sensitive content could be reconstructed from the request pattern.

Critical properties of the attack:

Zero user interaction required beyond invoking Copilot Chat normally
Worked across user boundaries (the user who injected the malicious prompt did not need to be the same as the victim user)
Bypassed GitHub's CSP using GitHub's own infrastructure (the Camo proxy was an allowed domain)
Read from private repositories the victim user had access to, regardless of repository ownership
Could also be used to make Copilot suggest malicious code or links to the victim, providing supply-chain attack vectors

GitHub patched on August 14, 2025 by completely disabling image rendering within Copilot Chat. The fix was effective for the specific exploit but reduced product functionality. Mayraz publicly disclosed the technical details on October 8, 2025 after the patch was deployed.

This is the GitHub Copilot equivalent of EchoLeak — same class of vulnerability (indirect prompt injection in agentic AI reading user data), same family of mitigation challenges, similar CVSS score (9.6 vs EchoLeak's 9.3).

Sources: Legit Security disclosure (October 2025); Security Boulevard analysis; Information Security Media Group; eSecurity Planet; Cybersecurity News; CVE-2025-59145 NVD entry

November 11, 2025 — CVE-2025-62449 (Visual Studio Code Copilot Chat path traversal) and CVE-2025-62453 (AI output validation bypass)

Microsoft disclosed two related vulnerabilities. CVE-2025-62449 affects the VS Code Copilot Chat extension and stems from improper path-traversal handling (CWE-22); local attackers with limited user privileges could exploit it to access sensitive files. CVE-2025-62453 (CVSS 5.0) affects both GitHub Copilot and VS Code via improper validation of generative AI output, allowing AI suggestions to bypass intended security validations.

Both were rated "Important" by Microsoft's severity classification. Patches were issued. The broader implication: AI-generated output that's accepted by tooling without sufficient validation is a new vulnerability class, distinct from traditional input validation problems.

Source: GBHackers (November 2025); Microsoft Security Response Center

Note on the broader code-quality vulnerability class: Research has consistently found that approximately 29.1% of AI-generated Python code contains security weaknesses including SQL injection, cross-site scripting, and authentication bypass vulnerabilities. Repositories using Copilot exhibit ~6.4% secret leakage rates, approximately 40% higher than traditional development. These are not breaches of Copilot itself, but they are direct downstream consequences of Copilot use that affect every Copilot customer. SMB owners deploying Copilot should treat AI-generated code as untrusted external contributions requiring security review equivalent to third-party library inclusions.

Source: MintMCP research summary (December 2025)

Note on the GitHub platform more broadly: GitHub itself (separate from Copilot) had a confirmed data breach disclosed in May 2026 affecting credential stores. The incident does not appear to involve Copilot specifically but does affect any GitHub customer's overall threat model. Worth re-verifying breach scope when this profile is updated.

What this means in plain English for SMB owners

Three honest takeaways:

The April 24, 2026 policy change is the most important Copilot decision SMB owners need to make right now. If your developers are on Free, Pro, or Pro+, they need to either opt out (today) or you need to move them to Business ($19/user/month). Doing nothing means their code has been training material since April 24. There is no acceptable middle ground for proprietary work.

CamoLeak is the canonical incident for any business doing development with AI assistants. A 9.6 CVSS vulnerability that silently exfiltrated source code from private repos is the kind of incident you have to assume will recur in some form. Mitigations: prefer Business/Enterprise tiers (which apply additional content exclusions), keep Copilot updated, treat any unexpected behaviour from Copilot Chat (suggesting odd URLs, asking unusual questions about your code) as a potential injection attempt.

AI-generated code quality is a separate problem from AI-vendor privacy. Even with the best vendor on the best tier, ~30% of AI-generated code has security issues that need review. SMB owners deploying Copilot should budget for code review time and consider AI-aware security scanning tools. The productivity uplift from Copilot is real but it comes with a code-review uplift that is often understated in marketing materials.

Sources

GitHub Privacy Statement update for Copilot data use for model training (Discussion #188488, March-May 2026)
GitLab blog: GitHub Copilot's policy for AI training — a governance wake-up call (April 2026)
WaveSpeed: GitHub Copilot Data Training Policy in 2026 (May 2026)
DevelopersIO: Copilot interaction data AI training opt-out 2026 (March 2026)
danilchenko.dev: GitHub Copilot Will Train on Your Code by Default — How to Opt Out Before April 24 (March 2026)
Legit Security: CamoLeak technical disclosure (October 2025)
Security Boulevard: CamoLeak Critical GitHub Copilot Vulnerability (October 2025)
Information Security Media Group: GitHub Copilot Chat Flaw Let Private Code Leak Via Images (October 2025)
Cybersecurity News: Critical GitHub Copilot Vulnerability Source Code Exfiltration (October 2025)
eSecurity Planet: GitHub Copilot Flaw Exposed Private Code in CamoLeak (October 2025)
Cybersecurity News follow-up: Hackers Exploit GitHub Copilot Vulnerability (April 2026)
GBHackers: GitHub Copilot and Visual Studio Flaws (November 2025) — CVE-2025-62449, CVE-2025-62453
Microsoft Tech Community: Demystifying GitHub Copilot Security Controls (November 2025)
MintMCP: GitHub Copilot security risks (December 2025)

Related on AI Leakage

Compare all 29 AI tools in the risk directory — see how GitHub Copilot (GitHub / Microsoft) stacks up against the rest, tier by tier.
Take the 5-minute “Am I Leaking?” check — a personalised view of your business’s AI exposure.
Check a prompt before you paste it — our free Data-Safe Prompt Rewriter.
Shadow AI vs AI leakage — why even approved tools like GitHub Copilot (GitHub / Microsoft) can leak data.
Get plain-English AI Leakage Alerts — we email you when an AI tool you use changes its data policy or has an incident.
Get the free AI Acceptable Use Policy template — a plain-English policy with the tool-by-tool risk guide built in.