We’re launching a series of office hours for open source maintainers! Do you need advice to secure your project’s code? Grab some time to chat with our team. Spots are limited and run until end of April github.co/36GvaIC
Pinned Tweet
Follow
GitHub Security Lab
@GHSecurityLab
GitHub Security Lab’s mission is to inspire and enable the community to secure the open source software we all depend on.
securitylab.github.comJoined October 2019
GitHub Security Lab’s Tweets
In his latest post, sheds light on a patching problem in Pixel 6 (GHSL-2023-005) that can leave your device vulnerable to a variant of CVE-2022-38181, enabling malicious apps to gain root access. Read 👉 gh.io/pwn-pixel6
1
27
62
GHSL-2023-023: Type confusion in the Chrome renderer - CVE-2023-1214
32
93
GHSL-2023-005: GPU memory accessed after it's freed
2
24
This is an excellent writeup by Sylwia Budzynska on the fundamentals of static analysis, especially the practical graph theory background of the tools. It's important to understand how they work!
2
29
132
How do static analysis tools detect vulnerabilities in software? Learn more about the fundamentals of static analysis and security research, and challenge yourself with exercises in the first part of CodeQL Zero to Hero series by
3
35
118
👀 Did you play the Secure Code Game yet? 🎉🔒 a FREE, hands-on training simulating what you do on a daily basis. Start playing now at gh.io/securecodegame 🎮 Read more at gh.io/blog-securecod
14
43
Triple combo! Help secure open source by contributing to our CodeQL queries, learn how to do variant analysis and find vulns at scale, and get rewarded 💰 doing it!
🔗securitylab.github.com/bounties/
Quote Tweet
I just got my highest bounty of $5,500 from @GHSecurityLab for CodeQL query to detect ZipSlip bugs in Ruby
Show this thread
1
5
34
GHSL-2022-094: Remote Code Execution in discordrb - CVE-2023-28102
2
8
GHSL-2022-129: XML External Entity (XXE) injection in GeoNode - CVE-2023-26043
2
5
GHSL-2023-027: Command Injection in Cocos - CVE-2023-26493
2
4
GHSL-2023-051: Command Injection in React Native OneSignal SDK - CVE-2023-28430
2
12
Want to learn software security and have fun doing it? 🎉 🔒 Check out Secure Code Game - a FREE, hands-on training simulating what you do on a daily basis. Start playing now at gh.io/securecodegame 🎮 Read more at
43
126
🎉 Write safer code with new vulnerability prevention features in GitHub Copilot 🔒 ✅
2
10
15
Help us secure open source software by beta-testing #CodeQL for mobile application development! You can sign up for the CodeQL Swift Private Beta here:
4
7
GHSL-2023-016_GHSL-2023-018: Out-of-Bounds Read in the MIT Kerberos V5 (krb5) library
2
4
GHSL-2022-131: XML External Entities (XXE) injection in OWSLib - CVE-2023-27476
4
GHSL-2022-121_GHSL-2022-123: Multiple vulnerabilities in Apollo Configuration Management System - CVE-2023-25569, CVE-2023-25570
7
18
GHSL-2022-076_GHSL-2022-083: Multiple vulnerabilities in DataHub - CVE-2023-25557, CVE-2022-39366, CVE-2023-25559, CVE-2023-25560, CVE-2023-25561, CVE-2023-25562, CVE-2023-25558, CVE-2023-25580
2
6
Join us at to discover 4 game-changing ways developers can use AI to leverage security knowledge!
1
6
Multi-repository variant analysis lets you scale security research across thousands of repositories, giving you a powerful tool to find new vulnerabilities.
17
53
On March 13, we officially begin rolling out our requirement for all developers who contribute code on GitHub.com to enable 2FA by the end of 2023 ✨ Learn about the process & how you can help secure the software supply chain with 2FA: github.blog/2023-03-09-rai
5
60
102
FROM code SELECT vulnerability! Grab a spot for and 's CodeQL workshop at Berlin on Friday. Without prior CodeQL knowledge, learn how to identify vulnerabilities in projects. 🔗 nullcon.net/berlin-2023/id
#NullconDE2023
1
12
27
Three takeaways from security office hours with open source projects!
4
6
🔒 Our team at GitHub Security Lab discovered critical vulnerabilities in the DataHub platform! Check out our latest blog post to learn more about the security audit that helped to identify these vulnerabilities and keep your data safe:
1
23
44
Follow down the rabbit hole of an information leak on Android with the mysterious CVE-2022-25664 in the Qualcomm Adreno GPU
1
13
32
⭐#Panel alert! 💻Finding methods to make #security easy for developers + removing the disconnect🧑💻🧮+🛡️
💡Meet our panel for an insightful session : Xavier René-Corail, Marie Theresa Brosig, Santosh Yadav
✅For more updates➡️bit.ly/3wbN9Au
#NullconDE2023 #infosec
6
11
GHSL-2023-010_GHSL-2023-014: Denial of Service (DoS) and memory corruption in gss-ntlmssp - CVE-2023-25563, CVE-2023-25564, CVE-2023-25565, CVE-2023-25566, CVE-2023-25567
3
7
GHSL-2022-092: Physical memory access by untrusted app in Qualcomm Adreno GPU - CVE-2022-25664
19
37
GHSL-2022-128: Quadratic complexity algorithm in cmark - CVE-2023-22486
1
4
GHSL-2022-118: Out-of-bounds read in cmark-gfm - CVE-2023-22485
3
4
GHSL-2022-098: Quadratic complexity algorithm in cmark - CVE-2023-22484
1
3
GHSL-2022-088, GHSL-2022-089, GHSL-2022-090, GHSL-2022-091, GHSL-2022-099, GHSL-2022-109, GHSL-2022-110, GHSL-2022-111, GHSL-2022-120, GHSL-2022-126: Quadratic complexity algorithms in cmark-gfm - CVE-2023-22483
1
1
4
GHSL-2022-059_GHSL-2022-060: SQL injection vulnerabilities in Owncloud Android app - CVE-2023-24804, CVE-2023-23948
16
44
17
20
4
13
Next post is out covering getting started with and learning CodeQL goingbeyondgrep.com/posts/learning. One for Semgrep is coming next
2
13
51