Security

We put out a call to open source developers and security researchers to talk about the security vulnerability disclosure process. Here’s what we found.

Between July 21, 2021 and August 13, 2021 we received reports through one of our private security bug bounty programs from researchers regarding vulnerabilities in tar and @npmcli/arborist.

How GitHub uses code scanning to increase developer happiness, and how you can too.

We’re changing which keys are supported in SSH and removing unencrypted Git protocol. Only users connecting via SSH or git:// will be affected. If your Git remotes start with https://, nothing in this post will affect you. If you’re an SSH user, read on for the details and timeline.

Beginning October 4, 2021, all connections to npm websites and the npm registry, including for package installation, must use TLS 1.2 or higher.

GitHub’s supply chain security features are now available for Go modules, which will help the Go community discover, report, and prevent security vulnerabilities.

GitHub’s bug bounty program is now a mature component of how we improve product security. We’re excited to highlight some achievements (and interesting vulnerabilities)!

polkit is a system service installed by default on many Linux distributions. It’s used by systemd, so any Linux distribution that uses systemd also uses polkit.

GitHub secret scanning has been securing our users’ code by scanning for and revoking secrets since 2015. Recently, we’ve focused on scanning for package registry credentials as well—a significant and…

GitHub Actions provide a powerful, extensible way to automate software development workflows. When access to outside resources is required, GitHub provides the ability to store encrypted secrets used by GitHub…

In this second installment, I will focus on how to build our own custom ASAN interceptors in order to catch memory bugs when custom memory pools are implemented and also on how to intercept file system syscalls to detect logic errors in the target application.

When it comes to security research, the path from bug to vulnerability to exploit can be a long one. Security researchers often end their research journey at the “Proof of…

In this last post of the series, I’ll exploit a use-after-free in the Chrome renderer (CVE-2020-15972), a bug that I reported in September 2020 but turned out to be a duplicate, to gain remote code execution in the sandboxed renderer process in Chrome.

On March 8, we shared that, out of an abundance of caution, we logged all users out of GitHub.com due to a rare security vulnerability. We believe that transparency is…

Last month, a member of the CodeQL security community contributed multiple CodeQL queries for C# codebases that can help organizations assess whether they are affected by the SolarWinds nation-state attack on various parts of critical network infrastructure around the world.