skip to content
Back to GitHub.com
Home Bounties Research Advisories Get Involved Events
GitHub Security Lab

Securing the world's software, together

GitHub Security Lab

Securing the world's software, together

GitHub Security Lab’s mission is to inspire and enable the community to secure the open source software we all depend on.

Follow @GHSecurityLab

What we do

Find vulnerabilities
Find vulnerabilities

Our researchers find and report new vulnerabilities in the open source projects everyone relies on.

Educate the community
Educate the community

We share our research through proof-of-concepts, articles, tutorials, conferences and community events.

Amplify security research
Amplify security research

We scale the security research of our community by performing Variants Analysis for open source projects with CodeQL.

Notify the ecosystem
Notify the ecosystem

We curate a database of CVEs and security advisories to notify open source developers and maintainers.

Our principles

Empower others
Empower others

Make securing open source easy for developers and maintainers.

Foster collaboration
Foster collaboration

Build a community of security researchers to serve the global open source community.

Vulnerabilities we've disclosed so far

  • ReDoS (Regular Expression Denial of Service) in Apprise
    GHSL-2021-120 • published 2021/10/20 00:00:00 ago • discovered by Kevin Backhouse
  • ReDoS (Regular Expression Denial of Service) in pydal
    GHSL-2021-116 • published 2021/10/20 00:00:00 ago • discovered by Kevin Backhouse
  • ReDoS (Regular Expression Denial of Service) in Calibre
    GHSL-2021-112 • published 2021/10/15 00:00:00 ago • discovered by Kevin Backhouse
  • Poor random number generation in keypair - CVE-2021-41117
    GHSL-2021-1012CVE-2021-41117 • published 2021/10/11 00:00:00 ago • discovered by team
  • ReDoS (Regular Expression Denial of Service) in Zulip - CVE-2021-41115
    GHSL-2021-118CVE-2021-41115 • published 2021/10/08 00:00:00 ago • discovered by team
shape
shape
288 CVEs found
by Security Lab researchers
165 since March 2020

Meet the team

Robert Schultheis

I read your CVEs

GitHub icon @rschultheis
Alvaro Munoz

Hacking since 1970-01-01T00:00:00Z

GitHub icon @pwntester twitter icon @pwntester
Hauwa Otori

Operations and coalition builder for security research

GitHub icon @hauwaotori twitter icon @hauwaotori
Bas Alberts

Debugging enthusiast

GitHub icon @anticomputer twitter icon @basalberts
Antonio Morales

EthicalHacker­BugHunter & C++; 3735928559

GitHub icon @antonio-morales twitter icon @nosoynadiemas
Man Yue Mo

Security scavenger

GitHub icon @m-y-mo twitter icon @mmolgtm
Shelby Cunningham

Security mostly, with privacy and retro if there's time.

GitHub icon @shelbyc twitter icon @shelbyc64
Joseph Katsioloudes

Making security easy for developers

GitHub icon @jkcso twitter icon @jkcso
Xavier René-Corail

3-legged race organizer: Building bridges between Dev and Sec

GitHub icon @xcorail twitter icon @xcorail
Agustin Gianni

Avoiding grep since 1999 AD

GitHub icon @agustingianni twitter icon @agustingianni
Jaroslav Lobacevski

Security panda

GitHub icon @jarlob twitter icon @yarlob
Kevin Backhouse

Compilers, program analysis, security research

GitHub icon @kevinbackhouse twitter icon @kevin_backhouse
Jonathan Moroney

Seeking safer software

GitHub icon @darakian twitter icon @Hooray_Darakian
shape shape shape
mona puzzle

Join the effort

As a security researcher, your expertise is instrumental in securing the world’s software. Codify that knowledge as an expressive, executable, and repeatable CodeQL query that can be run on many codebases. Get rewarded for queries that have a positive impact on open source projects through our bounty program.

See our bounties

Our latest research

Chrome in-the-wild bug analysis: CVE-2021-37975
October 19, 2021
The fugitive in Java: Escaping to Java to escape the Chrome sandbox
September 30, 2021
Chrome in-the-wild bug analysis: CVE-2021-30632
September 27, 2021