We all have a collective responsibility to keep open source software secure—none of us can do it alone. Today on Github Universe we announced the Github Security Lab . A place where security researchers, maintainers and companies across the industry come together to share our belief that open source security is important to everyone. We are pleased to have initial partners contributing to this goal. Together, we provide tools, resources, awards, and thousands of hours of security research to help protect the open source ecosystem. As part of today's GitHub announcement, Security Lab is making CodeQLfreely available to anyone who can find vulnerabilities in open source code. CodeQL is a tool that many research groups around the world use to perform semantic code analysis, and we have used it ourselves to find over 100 registered CVEs (Common Vulnerabilities and Exposures) in some popular open source projects. We are also launching GitHub Advisory Database- A public recommendation database built on GitHub, plus additional data associated with packages tracked by the GitHub dependency graph. GitHub's approach to security covers the entire security lifecycle of open source projects. The GitHub Security Lab will help you identify and report vulnerabilities in open source projects, while maintainers and developers use GitHub to create patches, coordinate disclosures, and update dependent projects to have the vulnerability resolved.
GitHub Security Lab
The mission of the GitHub Security Lab is to inspire and empower the global community of security researchers to protect the world's code. Our team will lead by example by dedicating ongoing resources to finding and reporting vulnerabilities in critically important open source projects. Teamna has already released over 100 CVEs to detect vulnerabilities. Ensuring the security of open source projects in the world is not an easy task. First, scale: a single JavaScript ecosystem contains over a million open source packages. In addition, there is a shortage of security specialists, about 500 developers to one specialist. Finally, there is coordination: the world's security experts work in thousands of companies. GitHub Security lab and CodeQL will help with this. In this work we are joined by companies who donate their time and expertise to find and report vulnerabilities in open source projects. Everyone has pledged to contribute in their own way, and we hope others will join us in the future.- F5
- HackerOne
- Intel
- OITactive
- JP Morgan
- Microsoft
- Mozilla
- NCC Group
- Oracle
- Trail of Bits
- Uber
- VMWare
GO TO FULL VERSION