GitHub Security Lab

Securing the world's software, together

GitHub Security Lab

Securing the world's software, together

GitHub Security Lab’s mission is to inspire and enable the community to secure the open source software we all depend on.

Follow @GHSecurityLab

What we do

Find vulnerabilities

Our researchers find and report new vulnerabilities in the open source projects everyone relies on.

Educate the community

We share our research through proof-of-concepts, articles, tutorials, conferences and community events.

Amplify security research

We scale the security research of our community by performing Variants Analysis for open source projects with CodeQL.

Notify the ecosystem

We curate a database of CVEs and security advisories to notify open source developers and maintainers.

Our principles

Empower others

Make securing open source easy for developers and maintainers.

Foster collaboration

Build a community of security researchers to serve the global open source community.

Vulnerabilities we've disclosed so far

ReDoS (Regular Expression Denial of Service) in H20

GHSL-2021-119 • published 2022/01/12 00:00:00 ago • discovered by Kevin Backhouse
Cross-Site Scripting (XSS) in mermaid.js

GHSL-2021-1058_GHSL-2021-1060 • CVE-2021-43861 • published 2022/01/12 00:00:00 ago • discovered by team
Command injection in Apache Kylin - CVE-2021-45457, CVE-2021-45456, CVE-45458

GHSL-2021-1048_GHSL-2021-1051 • CVE-2021-45457 • CVE-2021-45456 • CVE-2021-45458 • published 2022/01/12 00:00:00 ago • discovered by team
Improper sanitization of data URLs and style attributes in lxml HTML Sanitizer - CVE-2021-43818

GHSL-2021-1037_GHSL-2021-1038 • CVE-2021-43818 • published 2022/01/12 00:00:00 ago • discovered by Alvaro Munoz
Unauthorized repository modification or secrets exfiltration in a GitHub workflow of BitByte-TPC/first-bit

GHSL-2020-313 • published 2022/01/06 00:00:00 ago • discovered by Jaroslav Lobacevski

See all disclosures

313 CVEs found

by Security Lab researchers

190 since March 2020

Meet the team

Jonathan Moroney

Seeking safer software

@darakian

@Hooray_Darakian

Agustin Gianni

Avoiding grep since 1999 AD

@agustingianni

Xavier René-Corail

3-legged race organizer: Building bridges between Dev and Sec

@xcorail

Jaroslav Lobacevski

Security panda

@jarlob

@yarlob

Hauwa Otori

Operations and coalition builder for security research

@hauwaotori

Joseph Katsioloudes

Making security easy for developers

@jkcso

Antonio Morales

EthicalHackerBugHunter & C++; 3735928559

@antonio-morales

@nosoynadiemas

Nancy Gariché

Community Building as Secure Code

@nanzggits

Man Yue Mo

Security scavenger

@m-y-mo

@mmolgtm

Chamari Tucker

Hacker where? Hacker there.

@callmeMari

Alvaro Munoz

Hacking since 1970-01-01T00:00:00Z

@pwntester

Madison Oliver

Security transparency advocate

@taladrane

Bas Alberts

Debugging enthusiast

@anticomputer

@basalberts

Shelby Cunningham

Security mostly, with privacy and retro if there's time.

@shelbyc

@shelbyc64

Kevin Backhouse

Catching up on all the hacking that I should have done in the 1990s

@kevinbackhouse

@kevin_backhouse

Join the effort

As a security researcher, your expertise is instrumental in securing the world’s software. Codify that knowledge as an expressive, executable, and repeatable CodeQL query that can be run on many codebases. Get rewarded for queries that have a positive impact on open source projects through our bounty program.

See our bounties

Our latest research

Fuzzing
Apache HTTP
CVE

Fuzzing sockets: Apache HTTP, Part 3: Results

December 21, 2021

Bounties

Updates to the Bug Slayer bug bounty program

December 15, 2021

CVE
Security
Exploit

Getting root on Ubuntu through wishful thinking

December 13, 2021

See all research