GitHub Security Lab

Securing the world's software, together

GitHub Security Lab

Securing the world's software, together

GitHub Security Lab’s mission is to inspire and enable the community to secure the open source software we all depend on.

Follow @GHSecurityLab

What we do

Find vulnerabilities

Our researchers find and report new vulnerabilities in the open source projects everyone relies on.

Educate the community

We share our research through proof-of-concepts, articles, tutorials, conferences and community events.

Amplify security research

We scale the security research of our community by performing Variants Analysis for open source projects with CodeQL.

Notify the ecosystem

We curate a database of CVEs and security advisories to notify open source developers and maintainers.

Our principles

Empower others

Make securing open source easy for developers and maintainers.

Foster collaboration

Build a community of security researchers to serve the global open source community.

Vulnerabilities we've disclosed so far

Type confusion in Nokogiri leads to memory leak or DoS - CVE-2022-29181

GHSL-2022-031_GHSL-2022-032 • CVE-2022-29181 • published 2022/05/18 00:00:00 ago • discovered by Agustin Gianni
XSS in Baremetrics - CVE-2021-32859

GHSL-2021-1042 • CVE-2021-32859 • published 2022/05/18 00:00:00 ago • discovered by team
Arbitrary file write during TAR extraction in Apache Hadoop - CVE-2022-26612

GHSL-2022-012 • CVE-2022-26612 • published 2022/04/20 00:00:00 ago • discovered by Jaroslav Lobacevski
Path traversal in the OWASP Enterprise Security API (ESAPI)- CVE-2022-23457

GHSL-2022-008 • CVE-2022-23457 • published 2022/04/20 00:00:00 ago • discovered by Jaroslav Lobacevski
Cross-Site Scripting (XXS) in Cockpit Next - CVE-2021-32857

GHSL-2021-1035 • CVE-2021-32857 • published 2022/04/05 00:00:00 ago • discovered by team

See all disclosures

331 CVEs found

by Security Lab researchers

208 since March 2020

Meet the team

Madison Oliver

Security transparency advocate

@taladrane

Chamari Tucker

Hacker where? Hacker there.

@callmeMari

Ron Wochner

Breaker of things, fixer of some, curator of many.

@ronwoch

Man Yue Mo

Security scavenger

@m-y-mo

@mmolgtm

Shelby Cunningham

Security mostly, with privacy and retro if there's time.

@shelbyc

@shelbyc64

Hauwa Otori

Operations and coalition builder for security research

@hauwaotori

Xavier René-Corail

3-legged race organizer: Building bridges between Dev and Sec

@xcorail

Jaroslav Lobacevski

Security panda

@jarlob

@yarlob

Jonathan Moroney

Seeking safer software

@darakian

@Hooray_Darakian

Nancy Gariché

Community Building as Secure Code

@nanzggits

Joseph Katsioloudes

Making security easy for developers

@jkcso

Jorge Rosillo

while true; do ./research; ./ctf; done

@jorgectf

@jorge_ctf

Agustin Gianni

Avoiding grep since 1999 AD

@agustingianni

Alvaro Munoz

Hacking since 1970-01-01T00:00:00Z

@pwntester

Antonio Morales

EthicalHackerBugHunter & C++; 3735928559

@antonio-morales

@nosoynadiemas

Kevin Backhouse

Catching up on all the hacking that I should have done in the 1990s

@kevinbackhouse

@kevin_backhouse

Join the effort

As a security researcher, your expertise is instrumental in securing the world’s software. Codify that knowledge as an expressive, executable, and repeatable CodeQL query that can be run on many codebases. Get rewarded for queries that have a positive impact on open source projects through our bounty program.

See our bounties

Our latest research

Coordinated vulnerability disclosure (CVD) for open source projects

A comprehensive guide for vulnerability reporters.

Nancy Gariché

February 9, 2022

Fuzzing sockets: Apache HTTP, Part 3: Results

In the finale of the Fuzzing sockets series, Antonio shares the results of his research on Apache HTTP server.

Antonio Morales

December 21, 2021

Getting root on Ubuntu through wishful thinking

How to exploit a double-free vulnerability in Ubuntu's accountsservice (CVE-2021-3939).

Kevin Backhouse

December 13, 2021

See all our articles