Reviewed advisories hit a four-year low, malware advisories surged, and CNA publishing grew—here’s what changed and what it means for your triage and response. Read Jonathan Evans's A year of open source vulnerability trends: CVEs, advisories, and malware
github.blog/security/sup...
Software supply chain attacks are on the rise. Learn how open source contributors can use what GitHub Actions is building to help protect projects and the broader software community.
github.blog/news-insight...
Dear open source community, read our communication on CanisterWorm, learn what GitHub does to protect the community and what you can do to secure your supply chain www.linkedin.com/pulse/commun...
Sign in with ANY password: How we used AI to break into a popular chat application, and other high-impact vulnerabilities. Read "How to scan for vulnerabilities with GitHub Security Lab’s open source AI-powered framework" github.blog/security/how...
Hello hackers! Here are our February bug bounty stats!
🐛 200 bounty reports submitted
👩💻 144 hackers participated in our program
💰 Awarded $48,589 in bounties
Found a vulnerability? Submit it here:
t.co/HG2AqybW0p
If you're at #DeveloperWeek and you care about open source security, there is a session you must attend. We have been contributing to secure open source for 6 years and @xcorail.bsky.social will share with you the lessons learned from this journey! How GitHub Secures Open Source, PRO stage, 1pm.
Here are our January bug bounty stats!
🐛 182 bounty reports submitted
👩💻 112 hackers participated in our program
💰 Awarded $76,269 in bounties
Found a vulnerability? Submit it here: t.co/HG2AqybW0p.
Learn how we triage security alerts in GitHub Actions and JavaScript projects with the new GitHub Security Lab Taskflow Agent, and leverage LLM to focus on the exploitable vulnerabilities. github.blog/security/ai-...
Excited to share our open source agentic framework for security research, a collaborative framework that lets the community share AI "taskflows”! Read @kevinbackhouse.bsky.social 's blog post for details and a demo. Join us in strengthening open-source security! github.blog/security/com...
We wrapped up 2025 on a high note—here are the bug bounty stats for December!
✅ 151 bounty reports submitted
👥110 hackers participated in our program
💰Awarded $48,367 in bounties
Found a vulnerability? Submit it here: bounty.github.com.
Want to learn more about fuzzing?
You’ll find a dedicated section at the bottom of our website’s resources page at securitylab.github.com/open-source/
Learn why some vulnerabilities resist to fuzzing and persist in long-enrolled OSS-Fuzz projects, and how you can find them!
github.blog/security/vul...
In just 17 minutes, @yarlob.bsky.social shares his knowledge about securing GitHub Actions, drawing from hands-on experience uncovering hundreds of real-world vulnerabilities.
The talk wraps up with FREE tools to automate GitHub Actions security you can start using TODAY.
gh.io/secure-githu...
GitHub Security Lab discovered a critical vulnerability in WooCommerce. We’d like to thank WooCommerce/Automattic for their incredibly quick response and fix of the vulnerability.
If you are using WooCommerce, please update. For more info see:
developer.woocommerce.com/2025/12/22/s...
Hello Hackers! Here are our November bug bounty stats!
🐛146 bounty reports submitted
👩💻102 hackers participated in our program
💰Awarded $93,068 in bounties
Found a vulnerability? Submit it here: bounty.github.com
Flyer of the conference session. Title: Code Security Reinvented: Navigating the era of AI. Track: TOOLS IN ACTION. Speaker: Jospeh Katsioloudes, Cyber Security Specialist at GitHub.
Attending AI Native DevCon? Join @jkcso.bsky.social and discover practical ways to use AI for security through 14 live GitHub Copilot demos from secure coding, to supply chain decisions, to MCP servers.
📅 November 19, 11:40 AM EST
📍 Industry City, Kings County, NY + online
👉 ainativedev.io/devcon
Join us at @nerdearla.bsky.social to discover how GitHub secures the open source software we rely on. From security research and education to free tools and programs that have strengthened the security of hundreds of projects.
📅 November 14, 11 AM CET
📍 LaNaveMadrid + free streaming
👉 nerdearla.es
🚀 GitHub is making Actions more secure by default
We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.
We’ve opened a discussion to gather feedback 👇
🔗 github.com/orgs/communi...
Here are our October bug bounty stats!
🐛 162 bounty reports submitted
🎃 121 hackers participated in our program
💰 Awarded $78,968 in bounties
Found a vulnerability? Submit it here: bounty.github.com
Building with AI? 🤖
Then you won’t want to miss tomorrow’s #GitHubUniverse workshop with Joseph Katsioloudes and Rahul Zhade — all about how to build secure LLM-powered applications.
📍 Fort Mason Center for Arts & Culture
🗓️ Oct 29, 1:15–2:45 PM PDT
🎉 It’s Friday at #EkoParty!
Join us at the GitHub booth at 15:30 for the GitHub Quiz 🧠
Test your security knowledge, win exclusive GitHub swag, grab some stickers, and chat with our experts!
👉 gh.io/eko
Aprende como usar LLMs para mejorar el proceso de fuzzing en la charla de Antonio Morales en #ekoparty2025
📅 Jueves, 23 Oct, 15:30 AST
👋 Hola Argentina! We’re thrilled to be at #EkoParty this week!
If you’re around, swing by the GitHub booth — grab some stickers, play our security games, and chat with our experts about all things open source & security.
See you there 👉 gh.io/eko
The internet was on fire. 🔥
One small library affecting billions of systems.
Log4Shell was the biggest security vulnerability of all time.
Now, Log4J maintainer, Christian Grobmeier tells us what it felt like inside the flames 👉 github.blog/open-source/...
Flyer from the conference The Hack Summit announcing a presentation: Sylwia Budzynska, GitHub Security Researcher From One Bug to Hundreds: Scaling Vulnerability Research with CodeQL
Are you in Warsaw for The Hack Summit Warsaw? Join Sylwia Budzynska for an introductory talk about security research, static analysis, and CodeQL: "From One Bug to Hundreds: Scaling Vulnerability Research with CodeQL"
📆 October 14, 11:20 CEST
Track: Security in Software Development & DevSecOps
Here are our September bug bounty stats!
✅ 166 bounty reports submitted
👥 120 hackers participated in our program
💰 Awarded $113,008 in bounties
Found a vulnerability? Submit it here: t.co/HG2AqybW0p.
⏱️ Maintainers, we know you don’t have time to research every security best practice. That’s why we’ve made it simple:
✅ 15 minutes
✅ No security expertise required
✅ Free for open source
✅ Quick wins with long-term impact
Protect your project now at gh.io/protect-your-project
Recent account takeovers and attacks on package registries are a wake-up call: it's time to raise the bar on authentication and secure publishing practices. Find out what npm is doing—and what steps you can take—to help secure the open source supply chain: github.blog/security/sup...
Here are our August bug bounty stats!
✅ 173 bounty reports submitted
👥 131 hackers participated in our program
💰 Awarded $28,667 in bounties
Found a vulnerability? Submit it here: t.co/HG2AqybW0p.
Georg Semmler, the maintainer of github.com/diesel-rs/di... and one of the recent participants in the GitHub Secure Open Source Fund, has written a tool called cargo-safe-publish that helps protect against supply chain attacks in the Rust Cargo ecosystem. Read more: blog.weiznich.de/blog/cargo-s...
