GitHub Security Lab

Securing the world's software, together

GitHub Security Lab

Securing the world's software, together

GitHub Security Lab’s mission is to inspire and enable the community to secure the open source software we all depend on.

Follow @GHSecurityLab

What we do

Find vulnerabilities

Our researchers find and report new vulnerabilities in the open source projects everyone relies on.

Educate the community

We share our research through proof-of-concepts, articles, tutorials, conferences and community events.

Amplify security research

We scale the security research of our community by performing Variants Analysis for open source projects with CodeQL.

Notify the ecosystem

We curate a database of CVEs and security advisories to notify open source developers and maintainers.

Our principles

Empower others

Make securing open source easy for developers and maintainers.

Foster collaboration

Build a community of security researchers to serve the global open source community.

Vulnerabilities we've disclosed so far

Disclosure of the host memory into the virtualized guest in hyperkit - CVE-2021-32847

GHSL-2021-058 • CVE-2021-32847 • published 2021/10/05 00:00:00 ago • discovered by Agustin Gianni
Code execution outside the virtualized guest in hyperkit - CVE-2021-32843, CVE-2021-32844, CVE-2021-32845, CVE-2021-32846

GHSL-2021-054_057 • CVE-2021-32843 • CVE-2021-32844 • CVE-2021-32845 • CVE-2021-32846 • published 2021/10/05 00:00:00 ago • discovered by Agustin Gianni
Use After Free (UAF) in Chrome - CVE-2021-30528

GHSL-2021-124 • CVE-2021-30528 • published 2021/09/29 00:00:00 ago • discovered by Man Yue Mo
Copy-paste XSS in jSuites editor - CVE-2021-41086

GHSL-2021-1002 • CVE-2021-41086 • published 2021/09/28 00:00:00 ago • discovered by ghsecuritylab
ReDoS (Regular Expression Denial of Service) in python-sqlparse - CVE-2021-32839

GHSL-2021-107 • CVE-2021-32839 • published 2021/09/23 00:00:00 ago • discovered by Kevin Backhouse

See all disclosures

285 CVEs found

by Security Lab researchers

162 since March 2020

Meet the team

Kevin Backhouse

Compilers, program analysis, security research

@kevinbackhouse

@kevin_backhouse

Man Yue Mo

Security scavenger

@m-y-mo

@mmolgtm

Agustin Gianni

Avoiding grep since 1999 AD

@agustingianni

Antonio Morales

EthicalHackerBugHunter & C++; 3735928559

@antonio-morales

@nosoynadiemas

Xavier René-Corail

3-legged race organizer: Building bridges between Dev and Sec

@xcorail

Hauwa Otori

Operations and coalition builder for security research

@hauwaotori

Bas Alberts

Debugging enthusiast

@anticomputer

@basalberts

Alvaro Munoz

Hacking since 1970-01-01T00:00:00Z

@pwntester

Jaroslav Lobacevski

Security panda

@jarlob

@yarlob

Robert Schultheis

I read your CVEs

@rschultheis

Shelby Cunningham

Security mostly, with privacy and retro if there's time.

@shelbyc

@shelbyc64

Jonathan Moroney

Seeking safer software

@darakian

@Hooray_Darakian

Join the effort

As a security researcher, your expertise is instrumental in securing the world’s software. Codify that knowledge as an expressive, executable, and repeatable CodeQL query that can be run on many codebases. Get rewarded for queries that have a positive impact on open source projects through our bounty program.

See our bounties

Our latest research

Chrome
Security
Exploit

The fugitive in Java: Escaping to Java to escape the Chrome sandbox

September 30, 2021

Chrome
Security
Exploit

Chrome in-the-wild bug analysis: CVE-2021-30632

September 27, 2021

CodeQL
Java
CVE

Apache Dubbo: All roads lead to RCE

September 21, 2021

See all research