GitHub Security Lab aims to make open source software more secure - Help Net Security

GitHub Security Lab aims to make open source software more secure - Help Net Security

GitHub, the world’s largest open source code repository and leading software development platform, has launched GitHub Security Lab.



“Our team will lead by example, dedicating full-time resources to finding and reporting vulnerabilities in critical open source projects,” said Jamie Cool, VP of Product Management, Security at GitHub.


GitHub Security Lab


GitHub Security Lab is a program aimed at researchers, maintainers, and companies that want to contribute to the overall security of open source software.


Current contributors/partners include companies like Microsoft (GitHub is a Microsoft subsidiary), Google, HackerOne, Intel, IOActive, LinkedIn, Mozilla, NCC Group, Oracle, Trail of Bits, Uber, VMware, F5 and J.P. Morgan, which will be “donating their time and expertise to find and report vulnerabilities in open source software.”


Two months ago, GitHub became a CVE Numbering Authority (CNA). This allows the company to issue CVE identifiers for all libraries and products hosted on github.com in a public repository, unless they are otherwise covered by another CNA.


According to Cool, the team has already had over 100 CVEs issued for security vulnerabilities it has found.


“Securing the world’s open source software is a daunting task,” he explained. “First, there’s scale: the JavaScript ecosystem alone has over one million open source packages. Then there’s the shortage of security expertise: security professionals are outnumbered 500 to one by developers. Finally there’s coordination: the world’s security experts are spread across thousands of companies.”


Security Lab is an effort meant to make the task easier, especially sinc ..