Securing the world's software, together
Securing the world's software, together
GitHub Security Lab’s mission is to inspire and enable the community to secure the open source software we all depend on.
![](https://cdn.statically.io/img/securitylab.github.com/assets/img/marketing/hero.png)
What we do
![Find vulnerabilities](https://cdn.statically.io/img/securitylab.github.com/assets/img/icons/existing_vulnerability.png)
Our researchers find and report new vulnerabilities in the open source projects everyone relies on.
![Educate the community](https://securitylab.github.com/assets/img/icons/learning_github.png )
We share our research through proof-of-concepts, articles, tutorials, conferences and community events.
![Amplify security research](https://securitylab.github.com/assets/img/icons/amplify-research.png )
We scale the security research of our community by performing Variants Analysis for open source projects with CodeQL. Visit our CodeQL Wall of Fame.
![Notify the ecosystem](https://securitylab.github.com/assets/img/icons/cve_record.png )
We curate a database of CVEs and security advisories to notify open source developers and maintainers.
Our principles
![Empower others](https://cdn.statically.io/img/securitylab.github.com/assets/img/icons/empower-others.png)
Make securing open source easy for developers and maintainers.
![Foster collaboration](https://securitylab.github.com/assets/img/icons/community_actions.png )
Build a community of security researchers to serve the global open source community.
Vulnerabilities we've disclosed so far
-
Actions expression injection in Discord.js
-
Unsafe YAML Deserialization in ngrinder
-
Command Injection and Limited File Write in fishaudio/Bert-VITS2 - CVE-2024-39685, CVE-2024-39686, CVE-2024-39688
-
Potential secrets exfiltration from a Pull Request in docfx
-
Potential secret exfiltration from a Pull Request in AutoGen
Meet the team
Catching up on all the hacking that I should have done in the 1990s