GitHub Security Lab

Season 3 of the GitHub Secure Code Game is coming — AI enters the chat 🤖🔥 Catchup with Season 1 and 2 at gh.io/secure-code-game

Here are our April bug bounty stats! ✅ 145 bounty reports submitted 👥 117 hackers participated in our program 💰 Awarded $36,535 in bounties Found a vulnerability? Submit it here: https://bounty.github.com.

CodeQL analysis is now generally available for your GitHub Actions workflow files. It helps you identify and remediate security vulnerabilities in your Actions workflows through automated code scanning and Copilot autofix. For repositories using code scanning’s default setup, we will now automatically enable Actions workflow analysis when workflow files are detected in the default branch. For repositories using advanced setup, simply add the actions language to your existing configuration to enable this protection. https://lnkd.in/dD-dZ-Wr

Hello security researchers! Sharing the GitHub March bug bounty stats! 🐛 198 bounty reports submitted 👩💻 135 hackers participated in our program 💰 Awarded $62,701 in bounties Found a vulnerability on GitHub? Submit it here: http://bounty.github.com

In our latest blogpost, learn how to identify which CVE Numbering Authority is responsible for the record, how to contact them, and what to include with your suggestion. https://lnkd.in/gc_3CAH4

Are you in Athens for Devoxx Greece? Don't miss 🤖 Joseph Katsioloudes' talks on the main stage this Thursday and Friday! Discover how AI, Developer Experience (DevEx), and communities shape software security through real-world examples from securely building GitHub using GitHub 🔒

Attending #VULNCON2025 in Raleigh, North Carolina? Come join us for these exciting sessions: Tuesday, April 8 - 15:00 – 16:00: "CNA Birds of a Feather: Open Forum with Certified Naming Authorities" by David Welch & Jonathan Evans - 16:00 – 16:30: "Managing Coordinated Disclosures: A Practical Workshop on Vulnerability Coordination" by Jeffrey Guerra & Sara Clements - 16:30 – 17:00: "Exploit Maturity: Your New Best Friend in CVSS" by Shelby Cunningham Wednesday, April 9 - 09:00 – 09:30: "Breaking the Build: How Attackers Abuse GitHub Actions" by Jonathan Evans Thursday, April 10 - 11:00 – 11:30: "CVE Unmoored: Implications of the Removal of the Technology Requirement" by Jonathan Evans

Join us next week at #VULNCON2025 in Raleigh, North Carolina, where we’ll have a strong presence with these exciting sessions: Monday, April 7 - 12:30 – 13:00: "From NIST to FIRST: How GitHub’s Product Security Response Organization Transitioned" by Jeffrey Guerra & Sara Clements - 14:30 – 15:30: "Vulnerability Poker: Real or AI Fake Vulnerabilities?" by Madison Oliver & Tobias Heldt Tuesday, April 8 - 15:00 – 16:00: "CNA Birds of a Feather: Open Forum with Certified Naming Authorities" by David Welch & Jonathan Evans - 16:00 – 16:30: "Managing Coordinated Disclosures: A Practical Workshop on Vulnerability Coordination" by Jeffrey Guerra & Sara Clements - 16:30 – 17:00: "Exploit Maturity: Your New Best Friend in CVSS" by Shelby Cunningham Wednesday, April 9 - 09:00 – 09:30: "Breaking the Build: How Attackers Abuse GitHub Actions" by Jonathan Evans Thursday, April 10 - 11:00 – 11:30: "CVE Unmoored: Implications of the Removal of the Technology Requirement" by Jonathan Evans

Learn how to set up CORS securely and avoid common pitfalls found in open-source software in our latest blog post! https://lnkd.in/gikBXtJS