Back to GitHub.com
Home Bounties CodeQL Research Advisories Get Involved Events
GitHub Security Lab

Securing the world's software, together

GitHub Security Lab

Securing the world's software, together

GitHub Security Lab’s mission is to inspire and enable the community to secure the open source software we all depend on.

Follow @GHSecurityLab

What we do

Find vulnerabilities
Find vulnerabilities

Our researchers find and report new vulnerabilities in the open source projects everyone relies on.

Empower others
Empower others

We build tools like CodeQL to make security easy for anyone working to secure open source.

Foster collaboration
Foster collaboration

We're building a community of security researchers and an open coalition of the world's security teams.

Vulnerabilities we've disclosed

  • ReDoS in NodeRedis - CVE-2021-29469
    GHSL-2021-026CVE-2021-29469 • published 2021-05-12 00:00:00 +0000 ago • discovered by Kevin Backhouse
  • Arbitrary code execution when cloning/checking out a Gradle project - CVE-2021-29263
    GHSL-2020-337_338CVE-2021-29263 • published 2021-05-12 00:00:00 +0000 ago • discovered by Alvaro Munoz
  • Template object injection in Mailtrain - CVE-2021-27136
    GHSL-2021-032CVE-2021-27136 • published 2021-05-04 00:00:00 +0000 ago • discovered by Agustin Gianni
  • Unauthorized repository modification or secrets exfiltration in GitHub workflows of OpenRefine
    GHSL-2021-005 • published 2021-05-04 00:00:00 +0000 ago • discovered by Jaroslav Lobacevski
  • Unauthorized repository modification or secrets exfiltration in GitHub workflows of alisw/alidist and alisw/ali-bot
    GHSL-2021-003 • published 2021-05-04 00:00:00 +0000 ago • discovered by Jaroslav Lobacevski
See all disclosures
shape
shape
233 CVEs found
by Security Lab researchers

Meet the team

Kevin Backhouse

Compilers, program analysis, security research

GitHub icon @kevinbackhouse twitter icon @kevin_backhouse
Man Yue Mo

Security scavenger

GitHub icon @m-y-mo twitter icon @mmolgtm
Agustin Gianni

Avoiding grep since 1999 AD

GitHub icon @agustingianni twitter icon @agustingianni
Antonio Morales

EthicalHacker­BugHunter & C++; 3735928559

GitHub icon @antonio-morales twitter icon @nosoynadiemas
Xavier René-Corail

3-legged race organizer: Building bridges between Dev and Sec

GitHub icon @xcorail twitter icon @xcorail
Hauwa Otori

Operations and coalition builder for security research

GitHub icon @hauwaotori twitter icon @hauwaotori
Bas Alberts

Debugging enthusiast

GitHub icon @anticomputer twitter icon @basalberts
Alvaro Munoz

Hacking since 1970-01-01T00:00:00Z

GitHub icon @pwntester twitter icon @pwntester
Jaroslav Lobacevski

Security panda

GitHub icon @jarlob twitter icon @yarlob
Robert Schultheis

I read your CVEs

GitHub icon @rschultheis
Shelby Cunningham

Security mostly, with privacy and retro if there's time.

GitHub icon @shelbyc twitter icon @shelbyc64
Jonathan Moroney

Seeking safer software

GitHub icon @darakian twitter icon @Hooray_Darakian
shape shape shape
shape

Our tools

Our industry-leading code analysis engine, CodeQL, is now free for use on open source. CodeQL lets you query code as though it were data. Write a query to find all variants of a vulnerability, eradicating it forever. Then share your query to help others do the same.

Download CodeQL
mona puzzle

Join the effort

As a security researcher, your expertise is instrumental in securing the world’s software. Codify that knowledge as an expressive, executable, and repeatable CodeQL query that can be run on many codebases. Get rewarded for queries that have a positive impact on open source projects through our bounty program.

See our bounties

Our latest research

  • LiveQL
  • CodeQL
  • Java
  • CVE
LiveQL Episode II: The Rhino in the room
April 19, 2021
  • Fuzzing
  • Apache HTTP
  • Address Sanitizer
  • Interceptors
  • CVE
Fuzzing sockets: Apache HTTP, Part 2: Custom Interceptors
March 30, 2021
  • Chrome
  • Security
  • Exploit
One day short of a full chain: Part 3 - Chrome renderer RCE
March 24, 2021
See all research