We’re launching a series of office hours for open source maintainers! Do you need advice to secure your project’s code? Grab some time to chat with our team. Spots are limited and run until end of April github.co/36GvaIC
Pinned Tweet
Follow
Click to Follow GHSecurityLab
GitHub Security Lab
@GHSecurityLab
GitHub Security Lab’s mission is to inspire and enable the community to secure the open source software we all depend on.
securitylab.github.comJoined October 2019
GitHub Security Lab’s Tweets
Multi-repository variant analysis lets you scale security research across thousands of repositories, giving you a powerful tool to find new vulnerabilities.
9
41
On March 13, we officially begin rolling out our requirement for all developers who contribute code on GitHub.com to enable 2FA by the end of 2023 ✨ Learn about the process & how you can help secure the software supply chain with 2FA: github.blog/2023-03-09-rai
3
43
80
FROM code SELECT vulnerability! Grab a spot for and 's CodeQL workshop at Berlin on Friday. Without prior CodeQL knowledge, learn how to identify vulnerabilities in projects. 🔗 nullcon.net/berlin-2023/id
#NullconDE2023
1
11
22
Three takeaways from security office hours with open source projects!
3
5
🔒 Our team at GitHub Security Lab discovered critical vulnerabilities in the DataHub platform! Check out our latest blog post to learn more about the security audit that helped to identify these vulnerabilities and keep your data safe:
1
21
43
Follow down the rabbit hole of an information leak on Android with the mysterious CVE-2022-25664 in the Qualcomm Adreno GPU
1
12
30
⭐#Panel alert! 💻Finding methods to make #security easy for developers + removing the disconnect🧑💻🧮+🛡️
💡Meet our panel for an insightful session : Xavier René-Corail, Marie Theresa Brosig, Santosh Yadav
✅For more updates➡️bit.ly/3wbN9Au
#NullconDE2023 #infosec
6
10
GHSL-2023-010_GHSL-2023-014: Denial of Service (DoS) and memory corruption in gss-ntlmssp - CVE-2023-25563, CVE-2023-25564, CVE-2023-25565, CVE-2023-25566, CVE-2023-25567
2
6
GHSL-2022-092: Physical memory access by untrusted app in Qualcomm Adreno GPU - CVE-2022-25664
18
36
GHSL-2022-128: Quadratic complexity algorithm in cmark - CVE-2023-22486
1
4
GHSL-2022-118: Out-of-bounds read in cmark-gfm - CVE-2023-22485
2
3
GHSL-2022-098: Quadratic complexity algorithm in cmark - CVE-2023-22484
1
3
GHSL-2022-088, GHSL-2022-089, GHSL-2022-090, GHSL-2022-091, GHSL-2022-099, GHSL-2022-109, GHSL-2022-110, GHSL-2022-111, GHSL-2022-120, GHSL-2022-126: Quadratic complexity algorithms in cmark-gfm - CVE-2023-22483
1
1
4
GHSL-2022-059_GHSL-2022-060: SQL injection vulnerabilities in Owncloud Android app - CVE-2023-24804, CVE-2023-23948
16
43
16
19
4
13
Next post is out covering getting started with and learning CodeQL goingbeyondgrep.com/posts/learning. One for Semgrep is coming next
2
13
50
In case you missed it, did it again. Bypassing OGNL sandboxes, this time for fun and charities!
14
34
Had some fun with OGNL sandboxes last year. Read how I bypassed Atlassian Confluence and Struts ones in my latest blog post
1
93
201
GHSL-2022-132_GHSL-2022-133: Server-Side Request Forgery (SSRF) and Path Injection in Metersphere - CVE-2022-23544, CVE-2022-23512
1
9
22
It turns out that the first "all Google" phone includes a non-Google bug. Join on his journey through reporting the bug, and the exploit used to gain arbitrary kernel code execution and root on a Pixel 6 from an Android app.
16
43
GHSL-2022-054: Use-after-free (UAF) in the Arm Mali Kernel driver - CVE-2022-38181
12
31
GHSL-2022-074: Arithmetic overflow in sysstat - CVE-2022-39377
2
7
GHSL-2023-004: Arbitrary file upload and download in act - CVE-2023-22726
3
11
If you are attending tomorrow, make sure to catch presenting with about the work done in to help security researchers with open source vulnerability disclosure ✨
Read the full guide here: github.com/ossf/oss-vulne
6
9
This Wednesday, we are at in Oslo, Norway! Join to discover Security as Code (SaC) and the latest initiatives we pursue to secure open source.
6
15
Quote Tweet
Tomorrow doors open for #CyberThreat22
We hope you enjoy all that #CyberThreat22 and #London 
has to offer
Registration starts at 08:00 – 10:00 | Chablis Suite | Novotel London West
sans.org/u/1mfN
Follow #CyberThreat22 for live social updates during the event
has to offer
Registration starts at 08:00 – 10:00 | Chablis Suite | Novotel London West
sans.org/u/1mfN
Follow #CyberThreat22 for live social updates during the event
3
10
In software development, we often neglect security, but it's vital. That’s why we’re highlighting Metasploit -- the world’s most used penetration testing framework.
We'll chat with on twitch.tv/github on Jan 13 at 1 pm ET.
RSVP: tinyurl.com/osfriday
read image description
ALT
10
18
Sponsor Alert! 🙌We are excited to Welcome as Workshop Sponsor at #NullconBerlin
😎Meet folks #securing the #opensource & network with incredible #infosec minds
Go grab your tickets👉bit.ly/3Tq3Em2
#NullconDE2023 #GreenCon #Conference #Cybersecurity
5
9
Woah, the end of the year is upon us. One of the funner activities I participated in this year was a panel with the and teams about fixing vulnerability reporting in open source. Re-watch the session here:
1
3
16
Show this thread
3
26
90
GHSL-2021-1009: URL access filters bypass in Alpine - CVE-2022-23553
3
18
GHSL-2021-1010: Authentication bypass in Alpine - CVE-2022-23554
6
31
GHSL-2022-061: Bearer token disclosure in ghinstallation - CVE-2022-39304
2
8
GHSL-2022-112_GHSL-2022-115: Remote denial of service in Linux kernel WILC1000 wireless driver - CVE-2022-47518, CVE-2022-47519, CVE-2022-47520, CVE-2022-47521
1
8
Collaboration is the name of the game! Let's provide OWASP with feedback through this survey so that we can improve the user experience for all.
6
13
GHSL-2022-070_GHSL-2022-072: SQL injection in Arches - CVE-2022-41892
4
15
GHSL-2022-028: Copy/paste cross-site scripting (XSS) in codex-team
1
5
GHSL-2022-130: Out-of-bounds (OOB) read in openrazer - CVE-2022-23467
5