GitHub Security Lab

Securing the supply chain at scale: Starting with 71 important open source projects Learn how the GitHub Secure Open Source Fund helped 71 open source projects significantly improve their security posture.

🚀 GitHub is on a mission to supercharge open-source security! We've partnered with 71 key open-source projects, giving them tools, funding, and playbooks to boost security. 🔐
Want your project to be part of this effort? Now’s the time to get involved! 💪
🔗 Find out more: github.blog/open-source/...

Join Madison Oliver at DEF CON as she joins a panel on modernizing the CVE Program to meet the demands of AI-scale discovery, real-time coordination, and global software supply chains.

🗓️ Saturday, August 9 | ⏰ 12:30 PM
📍 Policy Stage | Room 234

Here are our July bug bounty stats!
✅174 bounty reports submitted
👥140 hackers participated in our program
💰 Awarded $103,202 in bounties

Found a vulnerability? Submit it here: bounty.github.com.

Are you at Security BSides Las Vegas?

Our very own Madison Oliver is joining a panel on the evolving role of the CVE Program — from funding challenges to global coordination and new governance models.

ℹ️ pretalx.com/security-bsi...
🗓️ August 5 | ⏰ 13:00–13:45 PT

Meet our team at Black Hat USA 2025 and DEF CON!

At Black Hat, find us at booth #4824.

Who’s attending:
Xavier René-Corail – Senior Director, GitHub Security Lab
Kevin Backhouse – Staff Manager, Security Research
Madison Oliver – Senior Manager, Security Research

Come by and say hi!

GHSL-2025-059_7: Denial of Service (DoS) because of null pointer dereference in 7-Zip - CVE-2025-53817 7-Zip supports extracting from Compounds Documents. Null pointer dereference in the Compound handler may lead to denial of service.

GHSL-2025-059_7: Denial of Service (DoS) because of null pointer dereference in 7-Zip - CVE-2025-53817 securitylab.github.com/advisories/G...

GHSL-2025-058_7: Denial of Service (DoS) because of memory corruption in 7-Zip - CVE-2025-53816 Zeroes written outside heap buffer in RAR5 handler may lead to memory corruption and denial of service.

GHSL-2025-058_7: Denial of Service (DoS) because of memory corruption in 7-Zip - CVE-2025-53816 securitylab.github.com/advisories/G...

Modeling CORS frameworks with CodeQL to find security vulnerabilities Discover how to increase the coverage of your CodeQL CORS security by modeling developer headers and frameworks.

🧠 CORS misconfigurations are sneaky. Want to catch them with static analysis?
Kevin Stubbings from GitHub Security Lab shows how to model CORS middleware in CodeQL—using Go’s Gin framework as a case study.
Great insights for researchers & devs:
github.blog/security/app...

Curious how GitHub helps secure the open source software the world runs on? Join us tomorrow at WeAreDevelopers World Congress 2025 and see it in action.

🕚 July 10, 16:10 CET
📍 Stage 11

CVE-2025-53367: An exploitable out-of-bounds write in DjVuLibre DjVuLibre has a vulnerability that could enable an attacker to gain code execution on a Linux Desktop system when the user tries to open a crafted document.

New vuln from the GitHub Security Lab 🔍
Antonio + Kev team up to uncover CVE-2025-53367 — an out-of-bounds write in DjVuLibre that could lead to code execution on Linux desktops.
Found via fuzzing.
🧠 Read the announcement: github.blog/security/vul...

Here are our June bug bounty stats!
✅ 120 bounty reports submitted
👥 103 hackers participated in our program
💰 Awarded $43,651 in bounties

Found a vulnerability? Submit it here: bounty.github.com

Here are our May bug bounty stats!
✅159 bounty reports submitted
👥118 hackers participated in our program
💰 Awarded $47,551 in bounties

Found a vulnerability? Submit it here: bounty.github.com

DNS rebinding attacks explained: The lookup is coming from inside the house! DNS rebinding attack without CORS against local network web applications. See how this can be used to exploit vulnerabilities in the real-world.

We break down DNS rebinding attacks in our latest blog post. Explore the topic further and see how it can be used to exploit vulnerabilities in the real-world. github.blog/security/app...

GitHub Advisory Database by the numbers: Known security vulnerabilities and what you can do about them Use these insights to automate software security (where possible) to keep your projects safe.

Our Advisory Database surpassed 20,000 reviewed security advisories last year! Discover how GitHub's Advisory Database helps prioritize vulnerabilities and address what matters most in our latest blog post. github.blog/security/git...

Hack the model: Build AI security skills with the GitHub Secure Code Game Dive into the novel security challenges AI introduces with the open source game that over 10,000 developers have used to sharpen their skills.

Train for the future of app security! 🛡️ Dive into the new season of the GitHub Secure Code Game as you go face to face with the security risks introduced by artificial intelligence. 🤖

Ready to level up your security skills? Get to playing. 🎮

Hack the model: Build AI security skills with the GitHub Secure Code Game Dive into the novel security challenges AI introduces with the open source game that over 10,000 developers have used to sharpen their skills.

We just launched season three of the GitHub Secure Code Game, and this time we’re putting you face to face with the security risks introduced by artificial intelligence. Get ready to learn by doing and have fun doing it! github.blog/security/hac...

Bypassing MTE with CVE-2025-0072 See how a vulnerability in the Arm Mali GPU can be exploited to gain kernel code execution even when Memory Tagging Extension (MTE) is enabled.

Our team member Man Yue Mo is back, showing a new way to bypass MTE protection on Android phones with CVE-2025-0072. github.blog/security/vul...

🚀 Want to secure your code like a pro? Join us virtually to explore how developers can use #AI and #GitHubCopilot to build secure software—faster and smarter!

🕚 May 22, 10am GMT
📍 Online (FREE & LIVE!)

🔗 Save your spot now and forward to your peers: developer.microsoft.com/en-us/reacto...

This What’s in the SOSS? podcast is a special #MaintainerMonth episode featuring GitHub’s Securing Open Source Software Fund—where training meets funding to help OSS projects scale security.

🎧 openssf.org/podcast/2025...

👉 maintainermonth.github.com/security-cha...

Season 3 of the GitHub Secure Code Game is coming — AI enters the chat 🤖🔥
Catchup with Season 1 and 2 at gh.io/secure-code-game

Here are our April bug bounty stats!
✅ 145 bounty reports submitted
👥 117 hackers participated in our program
💰 Awarded $36,535 in bounties

Found a vulnerability? Submit it here: bounty.github.com.

GitHub Actions workflow security analysis with CodeQL is now generally available · GitHub Changelog GitHub code scanning now offers enhanced security protection for your GitHub Actions workflow files through CodeQL analysis, which is now generally available. This feature enables you to identify and ...

CodeQL analysis is now generally available for your GitHub Actions workflow files! Use automated code scanning and Copilot autofix to detect and remediate vulnerabilities in your CI/CD pipeline.
github.blog/changelog/20...

Hello security researchers!
Sharing the GitHub March bug bounty stats!
🐛 198 bounty reports submitted
👩‍💻 135 hackers participated in our program
💰 Awarded $62,701 in bounties

Found a vulnerability on GitHub? Submit it here: bounty.github.com

How to request a change to a CVE record Learn how to identify which CVE Numbering Authority is responsible for the record, how to contact them, and what to include with your suggestion.

In our latest blogpost, learn how to identify which CVE Numbering Authority is responsible for the record, how to contact them, and what to include with your suggestion. github.blog/security/vul...

Are you in Athens for Devoxx Greece?
Don't miss @jkcso.bsky.social's talks on the main stage this Thursday and Friday! Discover how AI, Developer Experience (DevEx), and communities shape software security through real-world examples from securely building GitHub using GitHub 🔒

Thursday, April 10
- 11:00 – 11:30: "CVE Unmoored: Implications of the Removal of the Technology Requirement" by Jonathan Evans

Wednesday, April 9
- 09:00 – 09:30: "Breaking the Build: How Attackers Abuse GitHub Actions" by Jonathan Evans

Tuesday, April 8
- 16:30 – 17:00: "Exploit Maturity: Your New Best Friend in CVSS" by Shelby Cunningham

Tuesday, April 8
- 15:00 – 16:00: "CNA Birds of a Feather: Open Forum with Certified Naming Authorities" by David Welch & Jonathan Evans
- 16:00 – 16:30: "Managing Coordinated Disclosures: A Practical Workshop on Vulnerability Coordination" by Jeffrey Guerra & Sara Clements

Monday, April 7
- 12:30 – 13:00: "From NIST to FIRST: How GitHub’s Product Security Response Organization Transitioned" by Jeffrey Guerra & Sara Clements
- 14:30 – 15:30: "Vulnerability Poker: Real or AI Fake Vulnerabilities?" by Madison Oliver & Tobias Heldt