The Wayback Machine - https://web.archive.org/web/20221117024034/https://securitylab.github.com/
Back to GitHub.com
Home Bounties Research Advisories Get Involved Events
GitHub Security Lab

Securing the world's software, together

GitHub Security Lab

Securing the world's software, together

GitHub Security Lab’s mission is to inspire and enable the community to secure the open source software we all depend on.

Follow @GHSecurityLab

What we do

Find vulnerabilities
Find vulnerabilities

Our researchers find and report new vulnerabilities in the open source projects everyone relies on.

Educate the community
Educate the community

We share our research through proof-of-concepts, articles, tutorials, conferences and community events.

Amplify security research
Amplify security research

We scale the security research of our community by performing Variants Analysis for open source projects with CodeQL.

Notify the ecosystem
Notify the ecosystem

We curate a database of CVEs and security advisories to notify open source developers and maintainers.

Our principles

Empower others
Empower others

Make securing open source easy for developers and maintainers.

Foster collaboration
Foster collaboration

Build a community of security researchers to serve the global open source community.

Vulnerabilities we've disclosed so far

  • Arbitrary File Read in Tasks.org Android app - CVE-2022-39349
    GHSL-2022-062CVE-2022-39349 • published 2022/11/03 00:00:00 ago • discovered by team
  • Integer Overflow in git shell - CVE-2022-39260
    GHSL-2022-035CVE-2022-39260 • published 2022/11/03 00:00:00 ago • discovered by Kevin Backhouse
  • Arbitrary Code Execution in Apache Commons Text - CVE-2022-42889
    GHSL-2022-018CVE-2022-42889 • published 2022/10/17 00:00:00 ago • discovered by Alvaro Munoz
  • Stack Buffer Overflow in iowow - CVE-2022-23462
    GHSL-2022-066CVE-2022-23462 • published 2022/10/14 00:00:00 ago • discovered by Kwstubbs
  • Arbitrary CSS injection in mermaid.js - CVE-2022-31108
    GHSL-2022-036CVE-2022-31108 • published 2022/09/15 00:00:00 ago • discovered by Agustin Gianni
See all disclosures
shape
shape
356 CVEs found
by Security Lab researchers
233 since March 2020

Meet the team

Jonathan Moroney

Seeking safer software

GitHub icon @darakian twitter icon @Hooray_Darakian
Kevin Backhouse

Catching up on all the hacking that I should have done in the 1990s

GitHub icon @kevinbackhouse twitter icon @kevin_backhouse
Antonio Morales

EthicalHacker­BugHunter & C++; 3735928559

GitHub icon @antonio-morales twitter icon @nosoynadiemas
Ron Wochner

Breaker of things, fixer of some, curator of many.

GitHub icon @ronwoch
Alvaro Munoz

Hacking since 1970-01-01T00:00:00Z

GitHub icon @pwntester twitter icon @pwntester
Jorge Rosillo

while true; do ./research; ./ctf; done

GitHub icon @jorgectf twitter icon @jorge_ctf
Kevin Stubbings

Alright get out. From now on I'll do the memory managing around here.

GitHub icon @kwstubbs
Shelby Cunningham

Security person with a dash of data privacy

GitHub icon @shelbyc
Nancy Gariché

Community Building as Secure Code

GitHub icon @nanzggits
Xavier René-Corail

3-legged race organizer: Building bridges between Dev and Sec

GitHub icon @xcorail twitter icon @xcorail
Jaroslav Lobacevski

Security panda

GitHub icon @jarlob twitter icon @yarlob
Hauwa Otori

Operations and coalition builder for security research

GitHub icon @hauwaotori twitter icon @hauwaotori
Phil Turnbull

security shenanigans

GitHub icon @philipturnbull
Joseph Katsioloudes

Making security easy for developers

GitHub icon @jkcso twitter icon @jkcso
Peter Stöckli

Helping developers by breaking things.

GitHub icon @p- twitter icon @ulldma
Sylwia Budzynska

*hacker voice* I’m in

GitHub icon @sylwia-budzynska
Man Yue Mo

Security scavenger

GitHub icon @m-y-mo twitter icon @mmolgtm
Chamari Tucker

Hacker where? Hacker there.

GitHub icon @callmeMari
Michael Stepankin

get shell or die trying.

GitHub icon @artsploit
Madison Oliver

Security transparency advocate

GitHub icon @taladrane twitter icon @taladrane
shape shape shape
mona puzzle

Join the effort

As a security researcher, your expertise is instrumental in securing the world’s software. Codify that knowledge as an expressive, executable, and repeatable CodeQL query that can be run on many codebases. Get rewarded for queries that have a positive impact on open source projects through our bounty program.

See our bounties

Our latest research

Coordinated vulnerability disclosure (CVD) for open source projects
A comprehensive guide for vulnerability reporters.
Nancy Gariché
February 9, 2022
Fuzzing sockets: Apache HTTP, Part 3: Results
In the finale of the Fuzzing sockets series, Antonio shares the results of his research on Apache HTTP server.
Antonio Morales
December 21, 2021
Getting root on Ubuntu through wishful thinking
How to exploit a double-free vulnerability in Ubuntu's accountsservice (CVE-2021-3939).
Kevin Backhouse
December 13, 2021
See all our articles