Securing the world's software, together
Securing the world's software, together
GitHub Security Lab’s mission is to inspire and enable the community to secure the open source software we all depend on.
What we do
Our researchers find and report new vulnerabilities in the open source projects everyone relies on.
We share our research through proof-of-concepts, articles, tutorials, conferences and community events.
We scale the security research of our community by performing Variants Analysis for open source projects with CodeQL. Visit our CodeQL Wall of Fame.
We curate a database of CVEs and security advisories to notify open source developers and maintainers.
Our principles
Make securing open source easy for developers and maintainers.
Build a community of security researchers to serve the global open source community.
Vulnerabilities we've disclosed so far
-
Use-After-Free (UAF) in ServiceWorkerPaymentApp - CVE-2020-15967
-
Use-After-Free (UAF) in NFCHost
-
Server-Side Request Forgery (SSRF) in open-webui - CVE-2024-30256
-
Multiple command injections and path injections in Kohya_ss - CVE-2024-32022, CVE-2024-32026, CVE-2024-32025, CVE-2024-32027, CVE-2024-32024, CVE-2024-32023
-
Server-Side Request Forgery (SSRF) in Plane - CVE-2024-31461
Meet the team
Catching up on all the hacking that I should have done in the 1990s
@kevinbackhouse @kevin_backhouseJoin the effort
As a security researcher, your expertise is instrumental in securing the world’s software. Codify that knowledge as an expressive, executable, and repeatable CodeQL query that can be run on many codebases. Get rewarded for queries that have a positive impact on open source projects through our bounty program.
See our bounties