Happy anniversary GitHub Security Lab!

Image of Jamie Cool

Last year at GitHub Universe, we introduced the GitHub Security Lab, which is committed to contributing resources, tooling, bounties, and security research to secure the open source ecosystem. We know this isn’t a problem that GitHub alone can solve, and so a key goal of ours is to partner with researchers, maintainers, and companies across the industry who share our belief that the security of open source is important for everyone. The mission of the GitHub Security Lab is focused on open source software, and is articulated around three main axes: security research, community building, and industry engagement.

Just like for the rest of the world, 2020 has been a whirlwind year filled with new challenges and opportunities for the Security Lab. Here’s a look at some highlights from our first year. 

Security research

At its heart, the Security Lab is a team of security researchers focused on finding vulnerabilities in OSS before they turn into exploits. Through CodeQL-driven variant analysis, targeted fuzzing, and manual code review, the GitHub Security Lab has reported over 400 issues (via coordinated disclosure) across the open source community, which has translated into 194 Common Vulnerabilities and Exposures (CVE) assignments to date. 

We reported vulnerabilities in high-profile projects, including: 

The team also helped stop an active supply chain attack, and most recently contributed to identifying and fixing a critical remote vulnerability in Germany’s COVID-19 response infrastructure.

We want the work we do to both provide inspiration for others, but also to provide a channel for the work the security community does back into the development community. This is why when we find a vulnerability we don’t just report it, but whenever possible contribute a query to CodeQL so that developers don’t make the same mistake in the future. 

Community building

Coding is social, and so is security. This is why we are building a community where security researchers can share their knowledge, use our platform to amplify their work, and go beyond the classic security research routes to empower developers. 

Within the Security Lab bug bounty program, we don’t just ask researchers to report bugs, we also ask them to create CodeQL queries that will automatically detect these bugs at scale. This year, we rewarded more than $100,000 in bounty rewards to more than 20 different contributors. The queries that were created as result of these bounties now run continuously on hundreds of thousands of open source projects with code scanning, to prevent vulnerabilities from reoccurring. 

To further encourage community contributions, we recently doubled our rewards for high impact submissions. We want to better reward researchers contributing to the long-term security of open source software, and are now rewarding up to $6,000 per critical submission!  

Industry engagement

Alongside the announcement of the GitHub Security Lab last year, we also launched the Open Source Security Coalition (OSSC), to bring together companies and organizations committed to help secure open source software globally. We welcomed 21 founding members from around the world, including Google, HackerOne, IOActive, Mozilla, Microsoft, NCC Group, and Trail of Bits.

The coalition included four active working groups focused on vulnerability disclosures, identifying threats to open source projects, best practices for open source developers, and security tooling. This work quickly led to the coalition’s first report, The Threats, Risks, and Mitigations in the Open Source Ecosystem. We also shared key lessons learned in driving this coalition.   

Building on these efforts, a few months ago, we proudly announced the coalition joined forces with other open source security initiatives to form the Open Source Security Foundation, where GitHub is a founding member. Through the OpenSFF, GitHub has already contributed to the OpenSSF CVE Benchmark, a new set of tooling and data to evaluate static application security testing (SAST) tools based on real-world codebases.

As the Security Lab continues to engage in industry efforts, we are also expanding our focus to include socio-technical aspects of security research. More specifically, we are exploring how to improve communication between open source maintainers and security researchers in the vulnerability disclosure process. 

What’s next for the GitHub Security Lab?

With 194 CVEs found so far, the race is on to see how many new ones we can find in the 2021 bug hunting season. As we reflect on the lessons learned from our inaugural year, we also look forward with a renewed focus on making our research content actionable for both the developer and security research community.

Whether it’s the GitHub Security Lab finding the vulnerability or someone else, we believe the workflow for notifying, fixing, and publicly disclosing OSS vulnerabilities can be a richer and more collaborative process between security researchers and maintainers. GitHub has been working to make the process better with the introduction of security advisories and the advisory database. In the Security Lab, we especially appreciated how security researchers can now get credit for their findings. In 2021, the Security Lab is getting more directly involved in making this OSS vulnerability workflow one the entire community can participate in and trust. 

In the last year, much of our effort has focused on finding exploitable OSS vulnerabilities that developers have unintentionally introduced. But there is an increasing amount of attacks on the OSS supply chain itself via name hijacking and malware. We think these too are problems that we will be able to help with.

Last, but certainly not least, we want to continue to help bridge the gap between the security and development communities. Today CodeQL queries are one mechanism for doing that and we will continue our efforts there. But this also comes in the form of producing educational content and participation in community efforts, most notably the OpenSSF.

We hope you will be part of this exciting adventure and help secure open source software together.