The Wayback Machine - https://web.archive.org/web/20210320185259/https://securitylab.github.com/
Back to GitHub.com
GitHub Security Lab

Securing the world's software, together

GitHub Security Lab

Securing the world's software, together

GitHub Security Lab’s mission is to inspire and enable the community to secure the open source software we all depend on.

Follow @GHSecurityLab

What we do

Find vulnerabilities
Find vulnerabilities

Our researchers find and report new vulnerabilities in the open source projects everyone relies on.

Empower others
Empower others

We build tools like CodeQL to make security easy for anyone working to secure open source.

Foster collaboration
Foster collaboration

We're building a community of security researchers and an open coalition of the world's security teams.

Vulnerabilities we've disclosed

  • Template injection in a GitHub workflow of koriwi/freedeck-configurator
    GHSL-2020-324 • published 9 days ago • discovered by Jaroslav Lobačevski
  • Unauthorized repository modification or secrets exfiltration in GitHub workflows of w3c/aria-practices
    GHSL-2020-277 • published 9 days ago • discovered by Jaroslav Lobačevski
  • Use-after-free (UaF) in Qualcomm kgsl driver
    GHSL-2020-375CVE-2020-11239 • published 12 days ago • discovered by Man Yue Mo
  • Unauthorized repository modification or secrets exfiltration in a GitHub workflow of numworks/epsilon
    GHSL-2020-273 • published 12 days ago • discovered by Jaroslav Lobačevski
  • Use-after-free (UaF) in Chrome AudioHandler
    GHSL-2020-167CVE-2020-15972, CVE-2021-21114 • published 12 days ago • discovered by Man Yue Mo
See all disclosures
223 CVEs found
by Security Lab researchers

Meet the team

Kevin Backhouse

Compilers, program analysis, security research

@kevinbackhouse@kevin_backhouse
Man Yue Mo

Security scavenger

@m-y-mo@mmolgtm
Agustin Gianni

Avoiding grep since 1999 AD

@agustingianni@agustingianni
Antonio Morales

EthicalHacker'­BugHunter & C++; 3735928559

@antonio-morales@nosoynadiemas
Xavier René-Corail

3-legged race organizer: Building bridges between Dev and Sec

@xcorail@xcorail
Hauwa Otori

Operations and coalition builder for security research

@hauwaotori@hauwaotori
Bas Alberts

Debugging enthusiast

@anticomputer@basalberts
Alvaro Munoz

Hacking since 1970-01-01T00:00:00Z

@pwntester@pwntester
Jaroslav Lobacevski

Security panda

@jarlob@yarlob
Robert Schultheis

I read your CVEs

@rschultheis
Shelby Cunningham

Security mostly, with privacy and retro if there's time

@shelbyc@shelbyc64

Our tools

Our industry-leading code analysis engine, CodeQL, is now free for use on open source. CodeQL lets you query code as though it were data. Write a query to find all variants of a vulnerability, eradicating it forever. Then share your query to help others do the same.

Download CodeQL

Join the effort

As a security researcher, your expertise is instrumental in securing the world’s software. Codify that knowledge as an expressive, executable, and repeatable CodeQL query that can be run on many codebases. Get rewarded for queries that have a positive impact on open source projects through our bounty program.

See our bounties

Our latest research

Chrome, Security, Exploit
One day short of a full chain: Part 2 - Chrome sandbox escape
March 16, 2021
Workflows
GHSL-2020-324: Template injection in a GitHub workflow of koriwi/freedeck-configurator
March 11, 2021
Workflows
GHSL-2020-277: Unauthorized repository modification or secrets exfiltration in GitHub workflows of w3c/aria-practices
March 11, 2021
See all research