Vulnerability research

We put out a call to open source developers and security researchers to talk about the security vulnerability disclosure process. Here’s what we found.

Between July 21, 2021 and August 13, 2021 we received reports through one of our private security bug bounty programs from researchers regarding vulnerabilities in tar and @npmcli/arborist.

GitHub’s bug bounty program is now a mature component of how we improve product security. We’re excited to highlight some achievements (and interesting vulnerabilities)!

polkit is a system service installed by default on many Linux distributions. It’s used by systemd, so any Linux distribution that uses systemd also uses polkit.

On March 8, we shared that, out of an abundance of caution, we logged all users out of GitHub.com due to a rare security vulnerability. We believe that transparency is…

Last year at GitHub Universe, we introduced the GitHub Security Lab, which is committed to contributing resources, tooling, bounties, and security research to secure the open source ecosystem. We know…

Saying thanks is now a core part of the Security Advisory workflow.

Join our Capture the Flag challenge to use your CodeQL skills or learn new ones.

A phishing campaign targeting our customers lures GitHub users into providing their credentials (including two-factor authentication codes). Learn more about the threat and what you can do to protect yourself.

Learn more about the Bug Bounty program, including a recap of 2019’s bugs, our expanded scope, new features, and more.

Software security is a collective problem, a responsibility that involves producers and consumers of code, open source maintainers, security researchers, and security teams. At GitHub, we want to give the community the tools it needs to secure the software we all depend on.