banner
LightNews
securitylab.github.com
GitHub Security Lab
@securitylab.github.com
340 followers 1 following 64 posts
Securing open source software, together
Posts Media Videos Starter Packs
Pinned
securitylab.github.com
GitHub Security Lab @securitylab.github.com · Feb 6
Why does GitHub Security Lab do research like Man Yue Mo’s recent work on bypassing MTE on the Pixel 8? This question was asked on Hacker News and we think it’s worth a short thread.
news.ycombinator.com/item?id=3975...
This is great research and a great write-up, but I'm a little (pleasantly) surpr... | Hacker News
news.ycombinator.com
1
securitylab.github.com
GitHub Security Lab @securitylab.github.com · 3d
Here are our September bug bounty stats!
✅ 166 bounty reports submitted
👥 120 hackers participated in our program
💰 Awarded $113,008 in bounties
Found a vulnerability? Submit it here: t.co/HG2AqybW0p.
https://bounty.github.com
t.co
securitylab.github.com
GitHub Security Lab @securitylab.github.com · 11d
⏱️ Maintainers, we know you don’t have time to research every security best practice. That’s why we’ve made it simple:

✅ 15 minutes
✅ No security expertise required
✅ Free for open source
✅ Quick wins with long-term impact

Protect your project now at gh.io/protect-your-project
Protect Your Project
Securing open source software, together.
gh.io
2 11
securitylab.github.com
GitHub Security Lab @securitylab.github.com · 18d
Recent account takeovers and attacks on package registries are a wake-up call: it's time to raise the bar on authentication and secure publishing practices. Find out what npm is doing—and what steps you can take—to help secure the open source supply chain: github.blog/security/sup...
Our plan for a more secure npm supply chain
GitHub is strengthening npm's security with stricter authentication, granular tokens, and enhanced trusted publishing.
github.blog
1 3 3
securitylab.github.com
GitHub Security Lab @securitylab.github.com · 29d
Here are our August bug bounty stats!
✅ 173 bounty reports submitted
👥 131 hackers participated in our program
💰 Awarded $28,667 in bounties
Found a vulnerability? Submit it here: t.co/HG2AqybW0p.
https://bounty.github.com
t.co
1
securitylab.github.com
GitHub Security Lab @securitylab.github.com · Sep 2
Georg Semmler, the maintainer of github.com/diesel-rs/di... and one of the recent participants in the GitHub Secure Open Source Fund, has written a tool called cargo-safe-publish that helps protect against supply chain attacks in the Rust Cargo ecosystem. Read more: blog.weiznich.de/blog/cargo-s...
Introducing cargo safe-publish
About ways to publish unexpected code to crates.io
blog.weiznich.de
1 2
securitylab.github.com
GitHub Security Lab @securitylab.github.com · Aug 25
What if attackers could hijack your coding agent through a simple GitHub issue?

Prompt injections are a real and growing threat for VS Code Copilot Agent.

Learn how these attacks work and how you can defend your environment.

Read the full research: github.blog/security/vul...
Safeguarding VS Code against prompt injections
See how to reduce the risks of an indirect prompt injection, such as the exposure of confidential files or the execution of code without the user's consent.
github.blog
2 5
securitylab.github.com
GitHub Security Lab @securitylab.github.com · Aug 21
Join GitHub Open Source Friday - Aug 22, 10am PT - for a special episode featuring Bartosz Gałek and @jkcso.bsky.social, contributors to the Secure Code Game. Discover how Season 3 is empowering developers and students to build safer LLM-based applications.
www.linkedin.com/events/73635...
LinkedIn Login, Sign in | LinkedIn
Login to LinkedIn to keep in touch with people you know, share ideas, and build your career.
www.linkedin.com
1
securitylab.github.com
GitHub Security Lab @securitylab.github.com · Aug 11
🚀 GitHub is on a mission to supercharge open-source security! We've partnered with 71 key open-source projects, giving them tools, funding, and playbooks to boost security. 🔐
Want your project to be part of this effort? Now’s the time to get involved! 💪
🔗 Find out more: github.blog/open-source/...
Securing the supply chain at scale: Starting with 71 important open source projects
Learn how the GitHub Secure Open Source Fund helped 71 open source projects significantly improve their security posture.
github.blog
1 3
securitylab.github.com
GitHub Security Lab @securitylab.github.com · Aug 8
Join Madison Oliver at DEF CON as she joins a panel on modernizing the CVE Program to meet the demands of AI-scale discovery, real-time coordination, and global software supply chains.

🗓️ Saturday, August 9 | ⏰ 12:30 PM
📍 Policy Stage | Room 234
securitylab.github.com
GitHub Security Lab @securitylab.github.com · Aug 6
Here are our July bug bounty stats!
✅174 bounty reports submitted
👥140 hackers participated in our program
💰 Awarded $103,202 in bounties

Found a vulnerability? Submit it here: bounty.github.com.
GitHub Security
Bug Bounty Program
bounty.github.com
2 3
securitylab.github.com
GitHub Security Lab @securitylab.github.com · Aug 5
Are you at Security BSides Las Vegas?

Our very own Madison Oliver is joining a panel on the evolving role of the CVE Program — from funding challenges to global coordination and new governance models.

ℹ️ pretalx.com/security-bsi...
🗓️ August 5 | ⏰ 13:00–13:45 PT
LinkedIn
This link will take you to a page that’s not on LinkedIn
lnkd.in
1 1
securitylab.github.com
GitHub Security Lab @securitylab.github.com · Aug 4
Meet our team at Black Hat USA 2025 and DEF CON!

At Black Hat, find us at booth #4824.

Who’s attending:
Xavier René-Corail – Senior Director, GitHub Security Lab
Kevin Backhouse – Staff Manager, Security Research
Madison Oliver – Senior Manager, Security Research

Come by and say hi!
1
securitylab.github.com
GitHub Security Lab @securitylab.github.com · Jul 17
GHSL-2025-059_7: Denial of Service (DoS) because of null pointer dereference in 7-Zip - CVE-2025-53817 securitylab.github.com/advisories/G...
GHSL-2025-059_7: Denial of Service (DoS) because of null pointer dereference in 7-Zip - CVE-2025-53817
7-Zip supports extracting from Compounds Documents. Null pointer dereference in the Compound handler may lead to denial of service.
securitylab.github.com
1
securitylab.github.com
GitHub Security Lab @securitylab.github.com · Jul 17
GHSL-2025-058_7: Denial of Service (DoS) because of memory corruption in 7-Zip - CVE-2025-53816 securitylab.github.com/advisories/G...
GHSL-2025-058_7: Denial of Service (DoS) because of memory corruption in 7-Zip - CVE-2025-53816
Zeroes written outside heap buffer in RAR5 handler may lead to memory corruption and denial of service.
securitylab.github.com
securitylab.github.com
GitHub Security Lab @securitylab.github.com · Jul 10
🧠 CORS misconfigurations are sneaky. Want to catch them with static analysis?
Kevin Stubbings from GitHub Security Lab shows how to model CORS middleware in CodeQL—using Go’s Gin framework as a case study.
Great insights for researchers & devs:
github.blog/security/app...
Modeling CORS frameworks with CodeQL to find security vulnerabilities
Discover how to increase the coverage of your CodeQL CORS security by modeling developer headers and frameworks.
github.blog
2 3
securitylab.github.com
GitHub Security Lab @securitylab.github.com · Jul 9
Curious how GitHub helps secure the open source software the world runs on? Join us tomorrow at WeAreDevelopers World Congress 2025 and see it in action.

🕚 July 10, 16:10 CET
📍 Stage 11
securitylab.github.com
GitHub Security Lab @securitylab.github.com · Jul 4
New vuln from the GitHub Security Lab 🔍
Antonio + Kev team up to uncover CVE-2025-53367 — an out-of-bounds write in DjVuLibre that could lead to code execution on Linux desktops.
Found via fuzzing.
🧠 Read the announcement: github.blog/security/vul...
CVE-2025-53367: An exploitable out-of-bounds write in DjVuLibre
DjVuLibre has a vulnerability that could enable an attacker to gain code execution on a Linux Desktop system when the user tries to open a crafted document.
github.blog
1 4
securitylab.github.com
GitHub Security Lab @securitylab.github.com · Jul 2
Here are our June bug bounty stats!
✅ 120 bounty reports submitted
👥 103 hackers participated in our program
💰 Awarded $43,651 in bounties

Found a vulnerability? Submit it here: bounty.github.com
GitHub Security
Bug Bounty Program
bounty.github.com
1 1
securitylab.github.com
GitHub Security Lab @securitylab.github.com · Jun 30
Here are our May bug bounty stats!
✅159 bounty reports submitted
👥118 hackers participated in our program
💰 Awarded $47,551 in bounties

Found a vulnerability? Submit it here: bounty.github.com
GitHub Security
Bug Bounty Program
bounty.github.com
1
securitylab.github.com
GitHub Security Lab @securitylab.github.com · Jun 30
We break down DNS rebinding attacks in our latest blog post. Explore the topic further and see how it can be used to exploit vulnerabilities in the real-world. github.blog/security/app...
DNS rebinding attacks explained: The lookup is coming from inside the house!
DNS rebinding attack without CORS against local network web applications. See how this can be used to exploit vulnerabilities in the real-world.
github.blog
1 4
securitylab.github.com
GitHub Security Lab @securitylab.github.com · Jun 27
Our Advisory Database surpassed 20,000 reviewed security advisories last year! Discover how GitHub's Advisory Database helps prioritize vulnerabilities and address what matters most in our latest blog post. github.blog/security/git...
GitHub Advisory Database by the numbers: Known security vulnerabilities and what you can do about them
Use these insights to automate software security (where possible) to keep your projects safe.
github.blog
2 9
Reposted by GitHub Security Lab
github.com
GitHub @github.com · Jun 18
Train for the future of app security! 🛡️ Dive into the new season of the GitHub Secure Code Game as you go face to face with the security risks introduced by artificial intelligence. 🤖

Ready to level up your security skills? Get to playing. 🎮
Hack the model: Build AI security skills with the GitHub Secure Code Game
Dive into the novel security challenges AI introduces with the open source game that over 10,000 developers have used to sharpen their skills.
github.blog
4 27
securitylab.github.com
GitHub Security Lab @securitylab.github.com · Jun 3
We just launched season three of the GitHub Secure Code Game, and this time we’re putting you face to face with the security risks introduced by artificial intelligence. Get ready to learn by doing and have fun doing it! github.blog/security/hac...
Hack the model: Build AI security skills with the GitHub Secure Code Game
Dive into the novel security challenges AI introduces with the open source game that over 10,000 developers have used to sharpen their skills.
github.blog
1 11
securitylab.github.com
GitHub Security Lab @securitylab.github.com · May 23
Our team member Man Yue Mo is back, showing a new way to bypass MTE protection on Android phones with CVE-2025-0072. github.blog/security/vul...
Bypassing MTE with CVE-2025-0072
See how a vulnerability in the Arm Mali GPU can be exploited to gain kernel code execution even when Memory Tagging Extension (MTE) is enabled.
github.blog
3 6
securitylab.github.com
GitHub Security Lab @securitylab.github.com · May 21
🚀 Want to secure your code like a pro? Join us virtually to explore how developers can use #AI and #GitHubCopilot to build secure software—faster and smarter!

🕚 May 22, 10am GMT
📍 Online (FREE & LIVE!)

🔗 Save your spot now and forward to your peers: developer.microsoft.com/en-us/reacto...