GitHub Security Lab aims to make open source software more secure

GitHub, the world’s largest open source code repository and leading software development platform, has launched GitHub Security Lab.

“Our team will lead by example, dedicating full-time resources to finding and reporting vulnerabilities in critical open source projects,” said Jamie Cool, VP of Product Management, Security at GitHub.

GitHub Security Lab

GitHub Security Lab is a program aimed at researchers, maintainers, and companies that want to contribute to the overall security of open source software.

Current contributors/partners include companies like Microsoft (GitHub is a Microsoft subsidiary), Google, HackerOne, Intel, IOActive, LinkedIn, Mozilla, NCC Group, Oracle, Trail of Bits, Uber, VMware, F5 and J.P. Morgan, which will be “donating their time and expertise to find and report vulnerabilities in open source software.”

Two months ago, GitHub became a CVE Numbering Authority (CNA). This allows the company to issue CVE identifiers for all libraries and products hosted on in a public repository, unless they are otherwise covered by another CNA.

According to Cool, the team has already had over 100 CVEs issued for security vulnerabilities it has found.

“Securing the world’s open source software is a daunting task,” he explained. “First, there’s scale: the JavaScript ecosystem alone has over one million open source packages. Then there’s the shortage of security expertise: security professionals are outnumbered 500 to one by developers. Finally there’s coordination: the world’s security experts are spread across thousands of companies.”

Security Lab is an effort meant to make the task easier, especially since GitHub has made CodeQL, its semantic code analysis engine, free to use on open source.

“CodeQL lets you query code as though it were data. If you know of a coding mistake that caused a vulnerability, you can write a query to find all variants of that code, eradicating a whole class of vulnerabilities forever,” Cool pointed out.

When a researchers identifies a vulnerability in an open source project and shares the discovery with the GitHub Security Lab team, the team reports it to the publicly-listed security contact for the project or the project maintainers.

They will help the project security team or maintainers with the public disclosure process, but the responsibility for developing and releasing a patch lies firmly with the project team.

“Our disclosure deadline for publicly disclosing a vulnerability is: 90 days after the first report to the project team, or 30 days after a project maintainer has published a code change that publicly addresses the vulnerability, whichever is sooner,” the team explained.

Bug bounties are offered to participants who find new vulnerabilities in open source software using CodeQL (up to $2500 USD) and/or write queries that identify a class of vulnerabilities with a high precision (up to $3000 USD).

Automated security updates

GitHub is also launching a database of security advisories.

“With Security Advisories, maintainers can work with security researchers on security fixes in a private space, apply for a CVE directly from GitHub, and specify structured details about the vulnerability. Then, when they’re ready to publish the Security Advisory, GitHub will send security alerts to affected projects.”

Finally, GitHub creates automated security updates (pull requests) that update a vulnerable dependency to a fixed version. Maintainers of projects with vulnerable dependencies will be alerted to the newly discovered flaw(s) and will be offered the option to merge those pull requests into the upstream repository.


Security advisories and Dependabot-powered automated security fixes were introduced earlier this year.

In 2017, GitHub started alerting developers of security vulnerabilities in dependencies and added Python support for security alerts in 2018.

Don't miss