GitHub Security Lab

Securing the world's software, together

GitHub Security Lab

Securing the world's software, together

GitHub Security Lab’s mission is to inspire and enable the community to secure the open source software we all depend on.

Follow @GHSecurityLab

What we do

Find vulnerabilities

Our researchers find and report new vulnerabilities in the open source projects everyone relies on.

Educate the community

We share our research through proof-of-concepts, articles, tutorials, conferences and community events.

Amplify security research

We scale the security research of our community by performing Variants Analysis for open source projects with CodeQL. Visit our CodeQL Wall of Fame.

Notify the ecosystem

We curate a database of CVEs and security advisories to notify open source developers and maintainers.

Our principles

Empower others

Make securing open source easy for developers and maintainers.

Foster collaboration

Build a community of security researchers to serve the global open source community.

Vulnerabilities we've disclosed so far

Arbitrary File Read in Ombi - CVE-2023-32322

GHSL-2023-088 • CVE-2023-32322 • published 2023/06/02 00:00:00 ago • discovered by Kevin Stubbings
Drive-by command injection in Brook's tproxy server - CVE-2023-33965

GHSL-2023-024 • CVE-2023-33965 • published 2023/06/02 00:00:00 ago • discovered by Alvaro Munoz
Command Injection in an Apache Cloudstack CI workflow

GHSL-2023-022 • published 2023/06/02 00:00:00 ago • discovered by Jaroslav Lobacevski
Arbitrary file write in the File Parameters Jenkins Plugin - CVE-2023-32986

GHSL-2023-077 • CVE-2023-32986 • published 2023/05/25 00:00:00 ago • discovered by team
Information disclosure in the Sidebar Link Plug-in for Jenkins - CVE-2023-32985

GHSL-2023-076 • CVE-2023-32985 • published 2023/05/25 00:00:00 ago • discovered by team

See all disclosures

433 CVEs found

by Security Lab researchers

310 since March 2020

Meet the team

Chamari Tucker

Hacker where? Hacker there.

@callmeMari

Joseph Katsioloudes

Making security easy for developers

@jkcso

Kevin Stubbings

Alright get out. From now on I'll do the memory managing around here.

@Kwstubbs

Xavier René-Corail

3-legged race organizer: Building bridges between Dev and Sec

@xcorail

Sylwia Budzynska

*hacker voice* I’m in

@sylwia-budzynska

Madison Oliver

Security transparency advocate

@taladrane

Kevin Backhouse

Catching up on all the hacking that I should have done in the 1990s

@kevinbackhouse

@kevin_backhouse

Jorge Rosillo

while true; do ./research; ./ctf; done

@jorgectf

@jorge_ctf

Man Yue Mo

Security scavenger

@m-y-mo

@mmolgtm

Jonathan Moroney

Seeking safer software

@darakian

@Hooray_Darakian

Shelby Cunningham

Security person with a dash of data privacy

@shelbyc

Antonio Morales

EthicalHackerBugHunter & C++; 3735928559

@antonio-morales

@nosoynadiemas

Jaroslav Lobacevski

Security panda

@jarlob

@yarlob

Nancy Gariché

Community Building as Secure Code

@nanzggits

Peter Stöckli

Helping developers by breaking things.

@p-

@ulldma

Michael Stepankin

get shell or die trying.

@artsploit

Alvaro Munoz

Hacking since 1970-01-01T00:00:00Z

@pwntester

Join the effort

As a security researcher, your expertise is instrumental in securing the world’s software. Codify that knowledge as an expressive, executable, and repeatable CodeQL query that can be run on many codebases. Get rewarded for queries that have a positive impact on open source projects through our bounty program.

See our bounties

Our latest research

Coordinated vulnerability disclosure (CVD) for open source projects

A comprehensive guide for vulnerability reporters.

Nancy Gariché

February 9, 2022

Fuzzing sockets: Apache HTTP, Part 3: Results

In the finale of the Fuzzing sockets series, Antonio shares the results of his research on Apache HTTP server.

Antonio Morales

December 21, 2021

Getting root on Ubuntu through wishful thinking

How to exploit a double-free vulnerability in Ubuntu's accountsservice (CVE-2021-3939).

Kevin Backhouse

December 13, 2021

See all our articles