Securing the world's software, together
Securing the world's software, together
GitHub Security Lab’s mission is to inspire and enable the community to secure the open source software we all depend on.
What we do
Our researchers find and report new vulnerabilities in the open source projects everyone relies on.
We build tools like CodeQL to make security easy for anyone working to secure open source.
We're building a community of security researchers and an open coalition of the world's security teams.
Vulnerabilities we've disclosed
- Unauthorized repository modification or secrets exfiltration in several GitHub workflows of linebender
- Unauthorized repository modification or secrets exfiltration in a GitHub workflow of Tautulli
- Unauthorized repository modification or secrets exfiltration in a GitHub workflow of Automattic/jetpack
- Weak JSON Web Token (JWT) signing secret in YApi
- Open redirect vulnerability in Slashify
Meet the team
Our tools
Our industry-leading code analysis engine, CodeQL, is now free for use on open source. CodeQL lets you query code as though it were data. Write a query to find all variants of a vulnerability, eradicating it forever. Then share your query to help others do the same.
Download CodeQL
Join the effort
As a security researcher, your expertise is instrumental in securing the world’s software. Codify that knowledge as an expressive, executable, and repeatable CodeQL query that can be run on many codebases. Get rewarded for queries that have a positive impact on open source projects through our bounty program.
See our bounties