GitHub Security Lab

We’re excited to share our open source agentic framework for security research. We’re using it ourselves for security research on open source software and have been getting strong results. https://lnkd.in/dbwfWf6V Our primary goal is community-powered security, so the framework is designed to be collaborative. We want to enable anybody engaged in open source security to share their security knowledge with the community by publishing the AI "taskflows" they use to automate tasks like auditing code for specific types of vulnerabilities. In this announcement blog post, Kevin Backhouse explains the goals of the project and walks you through a demo to help you get started. We'd love to build a community around it, so please give it a try. The more people that contribute the more powerful it will be, which will benefit the open source code we all depend on! Also, stay tuned for more blog posts about this framework, in which we’ll take a deeper dive into some more complex taskflows, and show some of the vulnerabilities that it’s helped us find. Please note: at GitHub Security Lab, we never send AI-generated vulnerability reports directly to open source maintainers. Although we're using AI to help us find vulnerabilities, we always manually verify the results before we contact the maintainer.

Don't wait for the next malware campaign to audit your security. 👀 We’ve outlined practical steps to lock down your supply chain now: ✅ Switch to phishing-resistant MFA (Passkeys/WebAuthn) ✅ Rotate and scope your tokens ✅ Review third-party access A little security cleanup today can save you from a massive headache tomorrow. 😅 https://lnkd.in/eYrsSZMs

We wrapped up 2025 on a high note—here are the bug bounty stats for December! ✅ 151 bounty reports submitted 👥110 hackers participated in our program 💰Awarded $48,367 in bounties Found a vulnerability? Submit it here: https://bounty.github.com.

Learn why some vulnerabilities resist to fuzzing and persist in long-enrolled OSS-Fuzz projects, and how you can find them! Read all about it in our new blog: https://lnkd.in/g6vefmVZ

🎶’twas the night before Christmas, and nothing looked strange, until malicious artifacts showed up in the change 🎶 in light of some recent open source malware campaigns, we’ve outlined some practical steps teams can take now - using phishing-resistant MFA, rotating and scoping tokens, reviewing third-party access, and adopting safer package publishing workflows a little security cleanup now can help avoid unwelcome presents in the new year 🎁 read the post: https://lnkd.in/eEEngZ8v

In just 17 minutes, 📌 Jaroslav Lobačevski shares his knowledge about securing GitHub Actions, drawing from hands-on experience uncovering hundreds of real-world vulnerabilities. Topics include: • Best practices of using third party actions • The security model of GitHub Actions: tokens and permissions, jobs isolation and secrets • pull_request vs pull_request_target • Common pitfalls that lead to Remote Code Execution (RCE): interpolation and environment injections, cache poisoning • …and more The talk wraps up with FREE tools to automate GitHub Actions security you can start using TODAY. https://lnkd.in/gpHRzQCd

GitHub Security Lab discovered a critical vulnerability in WooCommerce. We’d like to thank WooCommerce/Automattic for their incredibly quick response and fix of the vulnerability. “A critical vulnerability was discovered in WooCommerce (versions 8.1 to 10.4.2) that, if exploited, could allow logged-in customers to access order details belonging to guest customers.” If you are using WooCommerce, please update. For more info see WooCommerce’s blog post: https://lnkd.in/gDcU_--M

The Security Lab is hiring Security Researchers in the US and in the UK! Reporting to Kevin Backhouse and Xavier René-Corail. Apply on the GitHub Careers page! Search for "Security Lab" https://lnkd.in/gj4kJuyp

We’re #hiring. 2 Principal Security Researchers, in the US and the UK. Know anyone who might be interested?