GitHub Security Lab
@securitylab.github.com
Securing open source software, together
Pinned
This is great research and a great write-up, but I'm a little (pleasantly) surpr... | Hacker News
news.ycombinator.com
Why does GitHub Security Lab do research like Man Yue Mo’s recent work on bypassing MTE on the Pixel 8? This question was asked on Hacker News and we think it’s worth a short thread.
news.ycombinator.com/item?id=3975...
news.ycombinator.com/item?id=3975...
Attending AI Native DevCon? Join @jkcso.bsky.social and discover practical ways to use AI for security through 14 live GitHub Copilot demos from secure coding, to supply chain decisions, to MCP servers.
📅 November 19, 11:40 AM EST
📍 Industry City, Kings County, NY + online
👉 ainativedev.io/devcon
📅 November 19, 11:40 AM EST
📍 Industry City, Kings County, NY + online
👉 ainativedev.io/devcon
November 19, 2025 at 7:36 AM
Attending AI Native DevCon? Join @jkcso.bsky.social and discover practical ways to use AI for security through 14 live GitHub Copilot demos from secure coding, to supply chain decisions, to MCP servers.
📅 November 19, 11:40 AM EST
📍 Industry City, Kings County, NY + online
👉 ainativedev.io/devcon
📅 November 19, 11:40 AM EST
📍 Industry City, Kings County, NY + online
👉 ainativedev.io/devcon
Join us at @nerdearla.bsky.social to discover how GitHub secures the open source software we rely on. From security research and education to free tools and programs that have strengthened the security of hundreds of projects.
📅 November 14, 11 AM CET
📍 LaNaveMadrid + free streaming
👉 nerdearla.es
📅 November 14, 11 AM CET
📍 LaNaveMadrid + free streaming
👉 nerdearla.es
November 13, 2025 at 9:04 AM
Join us at @nerdearla.bsky.social to discover how GitHub secures the open source software we rely on. From security research and education to free tools and programs that have strengthened the security of hundreds of projects.
📅 November 14, 11 AM CET
📍 LaNaveMadrid + free streaming
👉 nerdearla.es
📅 November 14, 11 AM CET
📍 LaNaveMadrid + free streaming
👉 nerdearla.es
🚀 GitHub is making Actions more secure by default
We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.
We’ve opened a discussion to gather feedback 👇
🔗 github.com/orgs/communi...
We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.
We’ve opened a discussion to gather feedback 👇
🔗 github.com/orgs/communi...
Towards a secure by default GitHub Actions · community · Discussion #179107
Why are you starting this discussion? Product Feedback What GitHub Actions topic or product is this about? Workflow Configuration Discussion Details Today, GitHub announced upcoming changes to the ...
github.com
November 11, 2025 at 6:38 PM
🚀 GitHub is making Actions more secure by default
We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.
We’ve opened a discussion to gather feedback 👇
🔗 github.com/orgs/communi...
We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.
We’ve opened a discussion to gather feedback 👇
🔗 github.com/orgs/communi...
Here are our October bug bounty stats!
🐛 162 bounty reports submitted
🎃 121 hackers participated in our program
💰 Awarded $78,968 in bounties
Found a vulnerability? Submit it here: bounty.github.com
🐛 162 bounty reports submitted
🎃 121 hackers participated in our program
💰 Awarded $78,968 in bounties
Found a vulnerability? Submit it here: bounty.github.com
GitHub Security
Bug Bounty Program
bounty.github.com
November 4, 2025 at 7:38 PM
Here are our October bug bounty stats!
🐛 162 bounty reports submitted
🎃 121 hackers participated in our program
💰 Awarded $78,968 in bounties
Found a vulnerability? Submit it here: bounty.github.com
🐛 162 bounty reports submitted
🎃 121 hackers participated in our program
💰 Awarded $78,968 in bounties
Found a vulnerability? Submit it here: bounty.github.com
Building with AI? 🤖
Then you won’t want to miss tomorrow’s #GitHubUniverse workshop with Joseph Katsioloudes and Rahul Zhade — all about how to build secure LLM-powered applications.
📍 Fort Mason Center for Arts & Culture
🗓️ Oct 29, 1:15–2:45 PM PDT
Then you won’t want to miss tomorrow’s #GitHubUniverse workshop with Joseph Katsioloudes and Rahul Zhade — all about how to build secure LLM-powered applications.
📍 Fort Mason Center for Arts & Culture
🗓️ Oct 29, 1:15–2:45 PM PDT
October 28, 2025 at 7:48 PM
Building with AI? 🤖
Then you won’t want to miss tomorrow’s #GitHubUniverse workshop with Joseph Katsioloudes and Rahul Zhade — all about how to build secure LLM-powered applications.
📍 Fort Mason Center for Arts & Culture
🗓️ Oct 29, 1:15–2:45 PM PDT
Then you won’t want to miss tomorrow’s #GitHubUniverse workshop with Joseph Katsioloudes and Rahul Zhade — all about how to build secure LLM-powered applications.
📍 Fort Mason Center for Arts & Culture
🗓️ Oct 29, 1:15–2:45 PM PDT
🎉 It’s Friday at #EkoParty!
Join us at the GitHub booth at 15:30 for the GitHub Quiz 🧠
Test your security knowledge, win exclusive GitHub swag, grab some stickers, and chat with our experts!
👉 gh.io/eko
Join us at the GitHub booth at 15:30 for the GitHub Quiz 🧠
Test your security knowledge, win exclusive GitHub swag, grab some stickers, and chat with our experts!
👉 gh.io/eko
GitHub Security Lab
Securing open source software, together.
gh.io
October 24, 2025 at 2:10 PM
Aprende como usar LLMs para mejorar el proceso de fuzzing en la charla de Antonio Morales en #ekoparty2025
📅 Jueves, 23 Oct, 15:30 AST
📅 Jueves, 23 Oct, 15:30 AST
October 22, 2025 at 1:49 PM
Aprende como usar LLMs para mejorar el proceso de fuzzing en la charla de Antonio Morales en #ekoparty2025
📅 Jueves, 23 Oct, 15:30 AST
📅 Jueves, 23 Oct, 15:30 AST
👋 Hola Argentina! We’re thrilled to be at #EkoParty this week!
If you’re around, swing by the GitHub booth — grab some stickers, play our security games, and chat with our experts about all things open source & security.
See you there 👉 gh.io/eko
If you’re around, swing by the GitHub booth — grab some stickers, play our security games, and chat with our experts about all things open source & security.
See you there 👉 gh.io/eko
GitHub Security Lab
Securing open source software, together.
gh.io
October 22, 2025 at 1:32 PM
Reposted by GitHub Security Lab
The internet was on fire. 🔥
One small library affecting billions of systems.
Log4Shell was the biggest security vulnerability of all time.
Now, Log4J maintainer, Christian Grobmeier tells us what it felt like inside the flames 👉 github.blog/open-source/...
One small library affecting billions of systems.
Log4Shell was the biggest security vulnerability of all time.
Now, Log4J maintainer, Christian Grobmeier tells us what it felt like inside the flames 👉 github.blog/open-source/...
October 20, 2025 at 6:37 PM
The internet was on fire. 🔥
One small library affecting billions of systems.
Log4Shell was the biggest security vulnerability of all time.
Now, Log4J maintainer, Christian Grobmeier tells us what it felt like inside the flames 👉 github.blog/open-source/...
One small library affecting billions of systems.
Log4Shell was the biggest security vulnerability of all time.
Now, Log4J maintainer, Christian Grobmeier tells us what it felt like inside the flames 👉 github.blog/open-source/...
Are you in Warsaw for The Hack Summit Warsaw? Join Sylwia Budzynska for an introductory talk about security research, static analysis, and CodeQL: "From One Bug to Hundreds: Scaling Vulnerability Research with CodeQL"
📆 October 14, 11:20 CEST
Track: Security in Software Development & DevSecOps
📆 October 14, 11:20 CEST
Track: Security in Software Development & DevSecOps
October 13, 2025 at 4:28 PM
Are you in Warsaw for The Hack Summit Warsaw? Join Sylwia Budzynska for an introductory talk about security research, static analysis, and CodeQL: "From One Bug to Hundreds: Scaling Vulnerability Research with CodeQL"
📆 October 14, 11:20 CEST
Track: Security in Software Development & DevSecOps
📆 October 14, 11:20 CEST
Track: Security in Software Development & DevSecOps
Here are our September bug bounty stats!
✅ 166 bounty reports submitted
👥 120 hackers participated in our program
💰 Awarded $113,008 in bounties
Found a vulnerability? Submit it here: t.co/HG2AqybW0p.
✅ 166 bounty reports submitted
👥 120 hackers participated in our program
💰 Awarded $113,008 in bounties
Found a vulnerability? Submit it here: t.co/HG2AqybW0p.
https://bounty.github.com
t.co
October 8, 2025 at 5:24 PM
Here are our September bug bounty stats!
✅ 166 bounty reports submitted
👥 120 hackers participated in our program
💰 Awarded $113,008 in bounties
Found a vulnerability? Submit it here: t.co/HG2AqybW0p.
✅ 166 bounty reports submitted
👥 120 hackers participated in our program
💰 Awarded $113,008 in bounties
Found a vulnerability? Submit it here: t.co/HG2AqybW0p.
⏱️ Maintainers, we know you don’t have time to research every security best practice. That’s why we’ve made it simple:
✅ 15 minutes
✅ No security expertise required
✅ Free for open source
✅ Quick wins with long-term impact
Protect your project now at gh.io/protect-your-project
✅ 15 minutes
✅ No security expertise required
✅ Free for open source
✅ Quick wins with long-term impact
Protect your project now at gh.io/protect-your-project
Protect Your Project
Securing open source software, together.
gh.io
September 30, 2025 at 3:14 PM
⏱️ Maintainers, we know you don’t have time to research every security best practice. That’s why we’ve made it simple:
✅ 15 minutes
✅ No security expertise required
✅ Free for open source
✅ Quick wins with long-term impact
Protect your project now at gh.io/protect-your-project
✅ 15 minutes
✅ No security expertise required
✅ Free for open source
✅ Quick wins with long-term impact
Protect your project now at gh.io/protect-your-project
Recent account takeovers and attacks on package registries are a wake-up call: it's time to raise the bar on authentication and secure publishing practices. Find out what npm is doing—and what steps you can take—to help secure the open source supply chain: github.blog/security/sup...
Our plan for a more secure npm supply chain
GitHub is strengthening npm's security with stricter authentication, granular tokens, and enhanced trusted publishing.
github.blog
September 23, 2025 at 4:11 PM
Recent account takeovers and attacks on package registries are a wake-up call: it's time to raise the bar on authentication and secure publishing practices. Find out what npm is doing—and what steps you can take—to help secure the open source supply chain: github.blog/security/sup...
Here are our August bug bounty stats!
✅ 173 bounty reports submitted
👥 131 hackers participated in our program
💰 Awarded $28,667 in bounties
Found a vulnerability? Submit it here: t.co/HG2AqybW0p.
✅ 173 bounty reports submitted
👥 131 hackers participated in our program
💰 Awarded $28,667 in bounties
Found a vulnerability? Submit it here: t.co/HG2AqybW0p.
https://bounty.github.com
t.co
September 12, 2025 at 9:18 PM
Here are our August bug bounty stats!
✅ 173 bounty reports submitted
👥 131 hackers participated in our program
💰 Awarded $28,667 in bounties
Found a vulnerability? Submit it here: t.co/HG2AqybW0p.
✅ 173 bounty reports submitted
👥 131 hackers participated in our program
💰 Awarded $28,667 in bounties
Found a vulnerability? Submit it here: t.co/HG2AqybW0p.
Georg Semmler, the maintainer of github.com/diesel-rs/di... and one of the recent participants in the GitHub Secure Open Source Fund, has written a tool called cargo-safe-publish that helps protect against supply chain attacks in the Rust Cargo ecosystem. Read more: blog.weiznich.de/blog/cargo-s...
Introducing cargo safe-publish
About ways to publish unexpected code to crates.io
blog.weiznich.de
September 2, 2025 at 6:37 PM
Georg Semmler, the maintainer of github.com/diesel-rs/di... and one of the recent participants in the GitHub Secure Open Source Fund, has written a tool called cargo-safe-publish that helps protect against supply chain attacks in the Rust Cargo ecosystem. Read more: blog.weiznich.de/blog/cargo-s...
What if attackers could hijack your coding agent through a simple GitHub issue?
Prompt injections are a real and growing threat for VS Code Copilot Agent.
Learn how these attacks work and how you can defend your environment.
Read the full research: github.blog/security/vul...
Prompt injections are a real and growing threat for VS Code Copilot Agent.
Learn how these attacks work and how you can defend your environment.
Read the full research: github.blog/security/vul...
Safeguarding VS Code against prompt injections
See how to reduce the risks of an indirect prompt injection, such as the exposure of confidential files or the execution of code without the user's consent.
github.blog
August 25, 2025 at 5:53 PM
What if attackers could hijack your coding agent through a simple GitHub issue?
Prompt injections are a real and growing threat for VS Code Copilot Agent.
Learn how these attacks work and how you can defend your environment.
Read the full research: github.blog/security/vul...
Prompt injections are a real and growing threat for VS Code Copilot Agent.
Learn how these attacks work and how you can defend your environment.
Read the full research: github.blog/security/vul...
Join GitHub Open Source Friday - Aug 22, 10am PT - for a special episode featuring Bartosz Gałek and @jkcso.bsky.social, contributors to the Secure Code Game. Discover how Season 3 is empowering developers and students to build safer LLM-based applications.
www.linkedin.com/events/73635...
www.linkedin.com/events/73635...
LinkedIn Login, Sign in | LinkedIn
Login to LinkedIn to keep in touch with people you know, share ideas, and build your career.
www.linkedin.com
August 21, 2025 at 9:53 PM
Join GitHub Open Source Friday - Aug 22, 10am PT - for a special episode featuring Bartosz Gałek and @jkcso.bsky.social, contributors to the Secure Code Game. Discover how Season 3 is empowering developers and students to build safer LLM-based applications.
www.linkedin.com/events/73635...
www.linkedin.com/events/73635...
🚀 GitHub is on a mission to supercharge open-source security! We've partnered with 71 key open-source projects, giving them tools, funding, and playbooks to boost security. 🔐
Want your project to be part of this effort? Now’s the time to get involved! 💪
🔗 Find out more: github.blog/open-source/...
Want your project to be part of this effort? Now’s the time to get involved! 💪
🔗 Find out more: github.blog/open-source/...
Securing the supply chain at scale: Starting with 71 important open source projects
Learn how the GitHub Secure Open Source Fund helped 71 open source projects significantly improve their security posture.
github.blog
August 11, 2025 at 5:28 PM
🚀 GitHub is on a mission to supercharge open-source security! We've partnered with 71 key open-source projects, giving them tools, funding, and playbooks to boost security. 🔐
Want your project to be part of this effort? Now’s the time to get involved! 💪
🔗 Find out more: github.blog/open-source/...
Want your project to be part of this effort? Now’s the time to get involved! 💪
🔗 Find out more: github.blog/open-source/...
Join Madison Oliver at DEF CON as she joins a panel on modernizing the CVE Program to meet the demands of AI-scale discovery, real-time coordination, and global software supply chains.
🗓️ Saturday, August 9 | ⏰ 12:30 PM
📍 Policy Stage | Room 234
🗓️ Saturday, August 9 | ⏰ 12:30 PM
📍 Policy Stage | Room 234
August 8, 2025 at 8:00 AM
Join Madison Oliver at DEF CON as she joins a panel on modernizing the CVE Program to meet the demands of AI-scale discovery, real-time coordination, and global software supply chains.
🗓️ Saturday, August 9 | ⏰ 12:30 PM
📍 Policy Stage | Room 234
🗓️ Saturday, August 9 | ⏰ 12:30 PM
📍 Policy Stage | Room 234
Here are our July bug bounty stats!
✅174 bounty reports submitted
👥140 hackers participated in our program
💰 Awarded $103,202 in bounties
Found a vulnerability? Submit it here: bounty.github.com.
✅174 bounty reports submitted
👥140 hackers participated in our program
💰 Awarded $103,202 in bounties
Found a vulnerability? Submit it here: bounty.github.com.
GitHub Security
Bug Bounty Program
bounty.github.com
August 6, 2025 at 6:57 AM
Here are our July bug bounty stats!
✅174 bounty reports submitted
👥140 hackers participated in our program
💰 Awarded $103,202 in bounties
Found a vulnerability? Submit it here: bounty.github.com.
✅174 bounty reports submitted
👥140 hackers participated in our program
💰 Awarded $103,202 in bounties
Found a vulnerability? Submit it here: bounty.github.com.
Are you at Security BSides Las Vegas?
Our very own Madison Oliver is joining a panel on the evolving role of the CVE Program — from funding challenges to global coordination and new governance models.
ℹ️ pretalx.com/security-bsi...
🗓️ August 5 | ⏰ 13:00–13:45 PT
Our very own Madison Oliver is joining a panel on the evolving role of the CVE Program — from funding challenges to global coordination and new governance models.
ℹ️ pretalx.com/security-bsi...
🗓️ August 5 | ⏰ 13:00–13:45 PT
LinkedIn
This link will take you to a page that’s not on LinkedIn
lnkd.in
August 5, 2025 at 7:38 AM
Are you at Security BSides Las Vegas?
Our very own Madison Oliver is joining a panel on the evolving role of the CVE Program — from funding challenges to global coordination and new governance models.
ℹ️ pretalx.com/security-bsi...
🗓️ August 5 | ⏰ 13:00–13:45 PT
Our very own Madison Oliver is joining a panel on the evolving role of the CVE Program — from funding challenges to global coordination and new governance models.
ℹ️ pretalx.com/security-bsi...
🗓️ August 5 | ⏰ 13:00–13:45 PT
Meet our team at Black Hat USA 2025 and DEF CON!
At Black Hat, find us at booth #4824.
Who’s attending:
Xavier René-Corail – Senior Director, GitHub Security Lab
Kevin Backhouse – Staff Manager, Security Research
Madison Oliver – Senior Manager, Security Research
Come by and say hi!
At Black Hat, find us at booth #4824.
Who’s attending:
Xavier René-Corail – Senior Director, GitHub Security Lab
Kevin Backhouse – Staff Manager, Security Research
Madison Oliver – Senior Manager, Security Research
Come by and say hi!
August 4, 2025 at 9:44 PM
Meet our team at Black Hat USA 2025 and DEF CON!
At Black Hat, find us at booth #4824.
Who’s attending:
Xavier René-Corail – Senior Director, GitHub Security Lab
Kevin Backhouse – Staff Manager, Security Research
Madison Oliver – Senior Manager, Security Research
Come by and say hi!
At Black Hat, find us at booth #4824.
Who’s attending:
Xavier René-Corail – Senior Director, GitHub Security Lab
Kevin Backhouse – Staff Manager, Security Research
Madison Oliver – Senior Manager, Security Research
Come by and say hi!
GHSL-2025-059_7: Denial of Service (DoS) because of null pointer dereference in 7-Zip - CVE-2025-53817 securitylab.github.com/advisories/G...
GHSL-2025-059_7: Denial of Service (DoS) because of null pointer dereference in 7-Zip - CVE-2025-53817
7-Zip supports extracting from Compounds Documents. Null pointer dereference in the Compound handler may lead to denial of service.
securitylab.github.com
July 17, 2025 at 3:21 PM
GHSL-2025-059_7: Denial of Service (DoS) because of null pointer dereference in 7-Zip - CVE-2025-53817 securitylab.github.com/advisories/G...
GHSL-2025-058_7: Denial of Service (DoS) because of memory corruption in 7-Zip - CVE-2025-53816 securitylab.github.com/advisories/G...
GHSL-2025-058_7: Denial of Service (DoS) because of memory corruption in 7-Zip - CVE-2025-53816
Zeroes written outside heap buffer in RAR5 handler may lead to memory corruption and denial of service.
securitylab.github.com
July 17, 2025 at 3:17 PM
GHSL-2025-058_7: Denial of Service (DoS) because of memory corruption in 7-Zip - CVE-2025-53816 securitylab.github.com/advisories/G...
🧠 CORS misconfigurations are sneaky. Want to catch them with static analysis?
Kevin Stubbings from GitHub Security Lab shows how to model CORS middleware in CodeQL—using Go’s Gin framework as a case study.
Great insights for researchers & devs:
github.blog/security/app...
Kevin Stubbings from GitHub Security Lab shows how to model CORS middleware in CodeQL—using Go’s Gin framework as a case study.
Great insights for researchers & devs:
github.blog/security/app...
Modeling CORS frameworks with CodeQL to find security vulnerabilities
Discover how to increase the coverage of your CodeQL CORS security by modeling developer headers and frameworks.
github.blog
July 10, 2025 at 7:31 PM
🧠 CORS misconfigurations are sneaky. Want to catch them with static analysis?
Kevin Stubbings from GitHub Security Lab shows how to model CORS middleware in CodeQL—using Go’s Gin framework as a case study.
Great insights for researchers & devs:
github.blog/security/app...
Kevin Stubbings from GitHub Security Lab shows how to model CORS middleware in CodeQL—using Go’s Gin framework as a case study.
Great insights for researchers & devs:
github.blog/security/app...