GitHub Security Lab

If you're at DeveloperWeek and you care about open source security, there is a session you must attend. The GitHub Security Lab has been contributing to secure open source for the past 6 years and Xavier René-Corail will share with you the lessons learned from this journey! How GitHub Secures Open Source, PRO stage, 1pm.

Who knows how to secure open source better than the maintainers themselves? 🛡️ In Session 3 of the GitHub Secure Open Source Fund, 67 more projects improved their defenses. From securing the AI stack to strengthening the global supply chain, find out how these maintainers are making security improvements that benefit the entire ecosystem. 👇 https://lnkd.in/eJWXj27q

Here are our January bug bounty stats! 🐛 182 bounty reports submitted 👩💻 112 hackers participated in our program 💰 Awarded $76,269 in bounties Found a vulnerability? Submit it here: https://t.co/HG2AqybW0p.

Learn how we triage security alerts in GitHub Actions and JavaScript projects with the new GitHub Security Lab Taskflow Agent, and leverage LLM to focus on the exploitable vulnerabilities. https://lnkd.in/gq2gCDN2

AI won't catch your security vulnerabilities. But it might save you hundreds of hours fixing them. Joseph Katsioloudes recently demonstrated something revealing at AI Native DevCon: he asked GitHub Copilot to find security issues in code. It correctly identified SQL injection. It also flagged passwords stored in plain text, except they weren't actually there. Pure hallucination. 𝗧𝗵𝗲 𝗿𝗲𝗮𝗹 𝗽𝗿𝗼𝗯𝗹𝗲𝗺? Run the same prompt twice, get different results. Same code, same model, completely different outputs. Here's what actually works: • Purpose-built security tools handle detection (they're deterministic and reliable) • AI handles fixing (where it genuinely excels) • This hybrid approach helps teams fix vulnerabilities 3x faster Joseph's team built something practical for this: instruction files that prompt AI to perform structured security assessments of dependencies. Most developers spend under 15 minutes evaluating a new package before adopting it. These prompts deliver executive summaries with flagged risks and verifiable sources. The takeaway isn’t that AI is ineffective for security. It’s that understanding where AI is strong versus where it can be unreliable makes all the difference. 𝗧𝗵𝗲 𝗱𝗲𝘃𝗲𝗹𝗼𝗽𝗲𝗿𝘀 𝘀𝗵𝗶𝗽𝗽𝗶𝗻𝗴 𝘀𝗲𝗰𝘂𝗿𝗲 𝗰𝗼𝗱𝗲 𝗮𝗿𝗲𝗻'𝘁 𝗰𝗵𝗼𝗼𝘀𝗶𝗻𝗴 𝗯𝗲𝘁𝘄𝗲𝗲𝗻 𝗔𝗜 𝗮𝗻𝗱 𝘁𝗿𝗮𝗱𝗶𝘁𝗶𝗼𝗻𝗮𝗹 𝘁𝗼𝗼𝗹𝘀. They're combining both strategically. Read the full article here: https://tessl.co/kjp

We’re excited to share our open source agentic framework for security research. We’re using it ourselves for security research on open source software and have been getting strong results. https://lnkd.in/dbwfWf6V Our primary goal is community-powered security, so the framework is designed to be collaborative. We want to enable anybody engaged in open source security to share their security knowledge with the community by publishing the AI "taskflows" they use to automate tasks like auditing code for specific types of vulnerabilities. In this announcement blog post, Kevin Backhouse explains the goals of the project and walks you through a demo to help you get started. We'd love to build a community around it, so please give it a try. The more people that contribute the more powerful it will be, which will benefit the open source code we all depend on! Also, stay tuned for more blog posts about this framework, in which we’ll take a deeper dive into some more complex taskflows, and show some of the vulnerabilities that it’s helped us find. Please note: at GitHub Security Lab, we never send AI-generated vulnerability reports directly to open source maintainers. Although we're using AI to help us find vulnerabilities, we always manually verify the results before we contact the maintainer.

Don't wait for the next malware campaign to audit your security. 👀 We’ve outlined practical steps to lock down your supply chain now: ✅ Switch to phishing-resistant MFA (Passkeys/WebAuthn) ✅ Rotate and scope your tokens ✅ Review third-party access A little security cleanup today can save you from a massive headache tomorrow. 😅 https://lnkd.in/eYrsSZMs

We wrapped up 2025 on a high note—here are the bug bounty stats for December! ✅ 151 bounty reports submitted 👥110 hackers participated in our program 💰Awarded $48,367 in bounties Found a vulnerability? Submit it here: https://bounty.github.com.

Learn why some vulnerabilities resist to fuzzing and persist in long-enrolled OSS-Fuzz projects, and how you can find them! Read all about it in our new blog: https://lnkd.in/g6vefmVZ

🎶’twas the night before Christmas, and nothing looked strange, until malicious artifacts showed up in the change 🎶 in light of some recent open source malware campaigns, we’ve outlined some practical steps teams can take now - using phishing-resistant MFA, rotating and scoping tokens, reviewing third-party access, and adopting safer package publishing workflows a little security cleanup now can help avoid unwelcome presents in the new year 🎁 read the post: https://lnkd.in/eEEngZ8v