GitHub Security Lab

Securing the world's software, together

GitHub Security Lab

Securing the world's software, together

GitHub Security Lab’s mission is to inspire and enable the community to secure the open source software we all depend on.

Follow @GHSecurityLab

What we do

Find vulnerabilities

Our researchers find and report new vulnerabilities in the open source projects everyone relies on.

Empower others

We build tools like CodeQL to make security easy for anyone working to secure open source.

Foster collaboration

We're building a community of security researchers and an open coalition of the world's security teams.

Vulnerabilities we've disclosed

Multiple int-to-bool casting vulnerabilities, leading to heap overflow
CVE-2020-6835 • bftpd Bftpd • published 19 days ago • discovered by Antonio
OOB read in btfdp due to uninitialized value in hidegroups_init() function
CVE-2020-6162 • bftpd Bftpd • published 21 days ago • discovered by Antonio
Stack overflow (stack exhaustion) in listdir (remote DoS)
CVE-2019-20176 • Pure-FTPd • published a month ago • discovered by Antonio
XSS vulnerability in hotspot link
CVE-2019-16763 • Pannellum • published 2 months ago • discovered by Max Schaefer
Integer overflow in amqp_handle_input
CVE-2019-18609 • rabbitmq-c • published 3 months ago • discovered by Agustin Gianni

See all disclosures

118 CVEs found

by Security Lab researchers

Meet the team

Nico Waisman

Open Source Entomologist

@nicowaisman @nicowaisman

Kevin Backhouse

Compilers, program analysis, security research

@kevinbackhouse @kevin_backhouse

Man Yue Mo

Security scavenger

@m-y-mo @mmolgtm

Agustin Gianni

Avoiding grep since 1999 AD

@agustingianni @agustingianni

Antonio Morales

EthicalHacker'BugHunter & C++; 3735928559

@antonio-morales @nosoynadiemas

Xavier René-Corail

3-legged race organizer: Building bridges between Dev and Sec

@xcorail @xcorail

Sam Lanning

Making security easier than gpg

@s0 @samlanning

Hauwa Otori

Operations and coalition builder for security research

@hauwaotori @hauwaotori

Bas Alberts

Debugging enthusiast

@anticomputer @basalberts

Alvaro Munoz

Spanish bugfighter

@pwntester @pwntester

Jaroslav Lobacevski

Security panda

@jarlob @yarlob

Coalition

We’re building a coalition of companies who share our belief that the security of open source is important for everyone. Our initial partners have all committed to contribute in different forms to achieving this goal. We invite others to join the effort.

Our tools

Our industry-leading code analysis engine, CodeQL, is now free for use on open source. CodeQL lets you query code as though it were data. Write a query to find all variants of a vulnerability, eradicating it forever. Then share your query to help others do the same.

Download CodeQL

Join the effort

As a security researcher, your expertise is instrumental in securing the world’s software. Codify that knowledge as an expressive, executable, and repeatable CodeQL query that can be run on many codebases. Get rewarded for queries that have a positive impact on open source projects through our bounty program.

See our bounties

Our latest research

CodeQL, Security, C++, Chromium

Review of Chromium IPC vulnerabilities

January 15, 2020

CVE, C/C++, Security

Ubuntu whoopsie integer overflow vulnerability (CVE-2019-11484)

December 23, 2019

CVE, Python, Security

Ubuntu apport PID recycling vulnerability (CVE-2019-15790)

December 19, 2019

See all research