Xavier Rene-Corail
@xcorail.bsky.social
Open source security at GitHub. I don’t believe in perfection, but in continuous improvement. Opinions here are mine.
Reposted by Xavier Rene-Corail
🚀 GitHub is making Actions more secure by default
We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.
We’ve opened a discussion to gather feedback 👇
🔗 github.com/orgs/communi...
We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.
We’ve opened a discussion to gather feedback 👇
🔗 github.com/orgs/communi...
Towards a secure by default GitHub Actions · community · Discussion #179107
Why are you starting this discussion? Product Feedback What GitHub Actions topic or product is this about? Workflow Configuration Discussion Details Today, GitHub announced upcoming changes to the ...
github.com
November 11, 2025 at 6:38 PM
🚀 GitHub is making Actions more secure by default
We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.
We’ve opened a discussion to gather feedback 👇
🔗 github.com/orgs/communi...
We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.
We’ve opened a discussion to gather feedback 👇
🔗 github.com/orgs/communi...
Reposted by Xavier Rene-Corail
The internet was on fire. 🔥
One small library affecting billions of systems.
Log4Shell was the biggest security vulnerability of all time.
Now, Log4J maintainer, Christian Grobmeier tells us what it felt like inside the flames 👉 github.blog/open-source/...
One small library affecting billions of systems.
Log4Shell was the biggest security vulnerability of all time.
Now, Log4J maintainer, Christian Grobmeier tells us what it felt like inside the flames 👉 github.blog/open-source/...
October 20, 2025 at 6:37 PM
The internet was on fire. 🔥
One small library affecting billions of systems.
Log4Shell was the biggest security vulnerability of all time.
Now, Log4J maintainer, Christian Grobmeier tells us what it felt like inside the flames 👉 github.blog/open-source/...
One small library affecting billions of systems.
Log4Shell was the biggest security vulnerability of all time.
Now, Log4J maintainer, Christian Grobmeier tells us what it felt like inside the flames 👉 github.blog/open-source/...
Reposted by Xavier Rene-Corail
“Ignorance will break all software.”
Log4Shell’s one line of code broke the internet, and taught us all a lesson we can’t ignore. As Christian Grobmeier, maintainer of Log4J puts it: "Learning is the only cure for ignorance. So just keep learning."
Log4Shell’s one line of code broke the internet, and taught us all a lesson we can’t ignore. As Christian Grobmeier, maintainer of Log4J puts it: "Learning is the only cure for ignorance. So just keep learning."
October 20, 2025 at 7:05 PM
“Ignorance will break all software.”
Log4Shell’s one line of code broke the internet, and taught us all a lesson we can’t ignore. As Christian Grobmeier, maintainer of Log4J puts it: "Learning is the only cure for ignorance. So just keep learning."
Log4Shell’s one line of code broke the internet, and taught us all a lesson we can’t ignore. As Christian Grobmeier, maintainer of Log4J puts it: "Learning is the only cure for ignorance. So just keep learning."
Reposted by Xavier Rene-Corail
We're taking action to make the npm supply chain stronger and harder to attack. 🛡️
Check out our plan to create a more secure future for the JavaScript community.👇
https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/
Check out our plan to create a more secure future for the JavaScript community.👇
https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/
Our plan for a more secure npm supply chain
GitHub is strengthening npm's security with stricter authentication, granular tokens, and enhanced trusted publishing.
github.blog
September 30, 2025 at 3:55 PM
We're taking action to make the npm supply chain stronger and harder to attack. 🛡️
Check out our plan to create a more secure future for the JavaScript community.👇
https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/
Check out our plan to create a more secure future for the JavaScript community.👇
https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/
Reposted by Xavier Rene-Corail
Recent account takeovers and attacks on package registries are a wake-up call: it's time to raise the bar on authentication and secure publishing practices. Find out what npm is doing—and what steps you can take—to help secure the open source supply chain: github.blog/security/sup...
Our plan for a more secure npm supply chain
GitHub is strengthening npm's security with stricter authentication, granular tokens, and enhanced trusted publishing.
github.blog
September 23, 2025 at 4:11 PM
Recent account takeovers and attacks on package registries are a wake-up call: it's time to raise the bar on authentication and secure publishing practices. Find out what npm is doing—and what steps you can take—to help secure the open source supply chain: github.blog/security/sup...
RIP Graham Greene.
a close up of a man with the words we come far
Alt: a close up of a dialogue between Greene and Costner in “Dance with wolves”: Greene: we come far you and me - Costner: I will not forget you
media.tenor.com
September 2, 2025 at 3:25 AM
RIP Graham Greene.
Hey security people, if you’re in Las Vegas, say hi!
If you want to talk open source security, or GitHub security products, I’d be happy to chat!
If you want to talk open source security, or GitHub security products, I’d be happy to chat!
Meet our team at Black Hat USA 2025 and DEF CON!
At Black Hat, find us at booth #4824.
Who’s attending:
Xavier René-Corail – Senior Director, GitHub Security Lab
Kevin Backhouse – Staff Manager, Security Research
Madison Oliver – Senior Manager, Security Research
Come by and say hi!
At Black Hat, find us at booth #4824.
Who’s attending:
Xavier René-Corail – Senior Director, GitHub Security Lab
Kevin Backhouse – Staff Manager, Security Research
Madison Oliver – Senior Manager, Security Research
Come by and say hi!
August 5, 2025 at 4:37 PM
Hey security people, if you’re in Las Vegas, say hi!
If you want to talk open source security, or GitHub security products, I’d be happy to chat!
If you want to talk open source security, or GitHub security products, I’d be happy to chat!
Reposted by Xavier Rene-Corail
Are you at Security BSides Las Vegas?
Our very own Madison Oliver is joining a panel on the evolving role of the CVE Program — from funding challenges to global coordination and new governance models.
ℹ️ pretalx.com/security-bsi...
🗓️ August 5 | ⏰ 13:00–13:45 PT
Our very own Madison Oliver is joining a panel on the evolving role of the CVE Program — from funding challenges to global coordination and new governance models.
ℹ️ pretalx.com/security-bsi...
🗓️ August 5 | ⏰ 13:00–13:45 PT
LinkedIn
This link will take you to a page that’s not on LinkedIn
lnkd.in
August 5, 2025 at 7:38 AM
Are you at Security BSides Las Vegas?
Our very own Madison Oliver is joining a panel on the evolving role of the CVE Program — from funding challenges to global coordination and new governance models.
ℹ️ pretalx.com/security-bsi...
🗓️ August 5 | ⏰ 13:00–13:45 PT
Our very own Madison Oliver is joining a panel on the evolving role of the CVE Program — from funding challenges to global coordination and new governance models.
ℹ️ pretalx.com/security-bsi...
🗓️ August 5 | ⏰ 13:00–13:45 PT
Reposted by Xavier Rene-Corail
If you, a business, are reliant on an open source project to function it is YOUR responsibility to assess and ensure the health of that project by either contributing to it yourself or by using an alternative if project health cannot be guaranteed.
June 22, 2025 at 10:11 PM
If you, a business, are reliant on an open source project to function it is YOUR responsibility to assess and ensure the health of that project by either contributing to it yourself or by using an alternative if project health cannot be guaranteed.
It’s free. It’s fun. It’s easy.
Learn about secure coding with the GitHub secure code game.
Learn about secure coding with the GitHub secure code game.
We just launched season three of the GitHub Secure Code Game, and this time we’re putting you face to face with the security risks introduced by artificial intelligence. Get ready to learn by doing and have fun doing it! github.blog/security/hac...
Hack the model: Build AI security skills with the GitHub Secure Code Game
Dive into the novel security challenges AI introduces with the open source game that over 10,000 developers have used to sharpen their skills.
github.blog
June 4, 2025 at 5:44 AM
It’s free. It’s fun. It’s easy.
Learn about secure coding with the GitHub secure code game.
Learn about secure coding with the GitHub secure code game.
Reposted by Xavier Rene-Corail
Is your open source project built on a foundation of trust and security? 🛡️
Strengthen its future with essential practices like MFA, code scanning, safe dependency management, and private vulnerability reporting. 🔐
Learn how to implement these to protect your project and users with this guide. ⬇️
Strengthen its future with essential practices like MFA, code scanning, safe dependency management, and private vulnerability reporting. 🔐
Learn how to implement these to protect your project and users with this guide. ⬇️
Security Best Practices for your Project
Strengthen your project’s future by building trust through essential security practices — from MFA and code scanning to safe dependency management and private vulnerability reporting.
opensource.guide
May 28, 2025 at 8:21 PM
Is your open source project built on a foundation of trust and security? 🛡️
Strengthen its future with essential practices like MFA, code scanning, safe dependency management, and private vulnerability reporting. 🔐
Learn how to implement these to protect your project and users with this guide. ⬇️
Strengthen its future with essential practices like MFA, code scanning, safe dependency management, and private vulnerability reporting. 🔐
Learn how to implement these to protect your project and users with this guide. ⬇️
Reposted by Xavier Rene-Corail
Season 3 of the GitHub Secure Code Game is coming — AI enters the chat 🤖🔥
Catchup with Season 1 and 2 at gh.io/secure-code-game
Catchup with Season 1 and 2 at gh.io/secure-code-game
May 9, 2025 at 4:02 PM
Season 3 of the GitHub Secure Code Game is coming — AI enters the chat 🤖🔥
Catchup with Season 1 and 2 at gh.io/secure-code-game
Catchup with Season 1 and 2 at gh.io/secure-code-game
Reposted by Xavier Rene-Corail
Star Wars has released one hour of Mon Mothma dancing. #Andor www.youtube.com/watch?v=y6wL...
ONE HOUR OF DANCING MON MOTHMA | Andor Season 2 | Disney+
YouTube video by Star Wars
www.youtube.com
April 26, 2025 at 9:52 PM
Star Wars has released one hour of Mon Mothma dancing. #Andor www.youtube.com/watch?v=y6wL...
Finally watched the first episode of The Studio. OMG this is hilarious. I must admit I had a hard time with the disrespect of my hero Marty … I’ll get over it, but it was a difficult moment.
April 15, 2025 at 2:19 AM
Finally watched the first episode of The Studio. OMG this is hilarious. I must admit I had a hard time with the disrespect of my hero Marty … I’ll get over it, but it was a difficult moment.
So … Heat or Tombstone tonight? 😢 RIP Val Kilmer
a man with a mustache wearing a cowboy hat and saying say when
ALT: a man with a mustache wearing a cowboy hat and saying say when
media.tenor.com
April 3, 2025 at 4:56 AM
So … Heat or Tombstone tonight? 😢 RIP Val Kilmer
Reposted by Xavier Rene-Corail
In this demonstration I show the impact of CVE-2025-25291/CVE-2025-25292, an authentication bypass in ruby-saml used by high profile OSS projects such as GitLab. My team coordinated with both the ruby-saml maintainer and GitLab to get this vulnerability fixed and patches are available at gh.io/glfx
March 13, 2025 at 4:08 PM
In this demonstration I show the impact of CVE-2025-25291/CVE-2025-25292, an authentication bypass in ruby-saml used by high profile OSS projects such as GitLab. My team coordinated with both the ruby-saml maintainer and GitLab to get this vulnerability fixed and patches are available at gh.io/glfx
Reposted by Xavier Rene-Corail
Happy Friday folks! Here is a throwback to our 2nd most popular research post of 2024, "Gaining kernel code execution on an MTE-enabled Pixel 8" by Man yue Mo github.blog/security/vul...
Gaining kernel code execution on an MTE-enabled Pixel 8
In this post, I’ll look at CVE-2023-6241, a vulnerability in the Arm Mali GPU that allows a malicious app to gain arbitrary kernel code execution and root on an Android phone. I’ll show how this vulne...
github.blog
February 14, 2025 at 11:04 AM
Happy Friday folks! Here is a throwback to our 2nd most popular research post of 2024, "Gaining kernel code execution on an MTE-enabled Pixel 8" by Man yue Mo github.blog/security/vul...
Reposted by Xavier Rene-Corail
Sure, chocolates are nice and all but why not show your favourite open source projects how much you love them by sponsoring them today! github.blog/open-source/...
Support the open source projects you love this Valentine’s Day
You can help provide much-needed support to the critical but often underfunded projects that keep your infrastructure running smoothly.
github.blog
February 14, 2025 at 5:56 PM
Sure, chocolates are nice and all but why not show your favourite open source projects how much you love them by sponsoring them today! github.blog/open-source/...
Reposted by Xavier Rene-Corail
Don’t just say DEI as if it’s a bad word. Spell it out.
Say diversity, which is the lifeblood of American society & culture & innovation.
Say equity, which a just society should pursue.
Say inclusion, because decent people believe in increasing belonging, not isolating people who are different.
Say diversity, which is the lifeblood of American society & culture & innovation.
Say equity, which a just society should pursue.
Say inclusion, because decent people believe in increasing belonging, not isolating people who are different.
February 9, 2025 at 2:10 PM
Don’t just say DEI as if it’s a bad word. Spell it out.
Say diversity, which is the lifeblood of American society & culture & innovation.
Say equity, which a just society should pursue.
Say inclusion, because decent people believe in increasing belonging, not isolating people who are different.
Say diversity, which is the lifeblood of American society & culture & innovation.
Say equity, which a just society should pursue.
Say inclusion, because decent people believe in increasing belonging, not isolating people who are different.
Reposted by Xavier Rene-Corail
Security researchers are digital detectives, safeguarding the internet by uncovering vulnerabilities. 🔍 Start your journey in cybersecurity research today. ⬇️
github.blog/security/vul...
github.blog/security/vul...
Cybersecurity researchers: Digital detectives in a connected world
Discover the exciting world of cybersecurity research: what researchers do, essential skills, and actionable steps to begin your journey toward protecting the digital world.
github.blog
February 9, 2025 at 8:49 PM
Security researchers are digital detectives, safeguarding the internet by uncovering vulnerabilities. 🔍 Start your journey in cybersecurity research today. ⬇️
github.blog/security/vul...
github.blog/security/vul...
Reposted by Xavier Rene-Corail
Hello from the GitHub Security Lab!
We are a team of security experts who cultivate a collaborative community where developers and security professionals come together to secure open source software.
We are a team of security experts who cultivate a collaborative community where developers and security professionals come together to secure open source software.
February 6, 2025 at 8:29 AM
Hello from the GitHub Security Lab!
We are a team of security experts who cultivate a collaborative community where developers and security professionals come together to secure open source software.
We are a team of security experts who cultivate a collaborative community where developers and security professionals come together to secure open source software.
Reposted by Xavier Rene-Corail
768 CVEs Exploited in the Wild in 2024
768 CVEs Exploited in the Wild in 2024
VulnCheck observed 768 public reports of CVEs exploited in the wild for the first time in 2024, a 20% rise compared to 2023
buff.ly
February 4, 2025 at 12:12 AM
768 CVEs Exploited in the Wild in 2024
Jacques Audiard is a genius, Zoe Saldana is a queen.
#emilaperez
#emilaperez
January 10, 2025 at 7:10 AM
Jacques Audiard is a genius, Zoe Saldana is a queen.
#emilaperez
#emilaperez