Catch Shelby Cunningham on stage at CVE/FIRST VulnCon 2026 in Scottsdale, Arizona. Her panel, “Supply Chains and Malware Campaigns: Is CVE the Right Way to Name the Game?”, examines whether CVE is the right tool for tracking open-source supply chain compromises — from isolated package incidents to large-scale campaigns affecting hundreds of packages. Date: April 16, 2026 | 1:15–2:15 PM MST (UTC-7) Learn more: https://lnkd.in/g6YmzEVk
About us
- Website
-
https://securitylab.github.com
External link for GitHub Security Lab
- Industry
- Software Development
Updates
-
AI agents that execute commands, browse the web, and coordinate with other agents are everywhere. But how do you know they're safe? Season 4 of Github's Secure Code Game lets you find out by hacking one yourself. Free, hands-on, and you can get started in under 2 minutes! Learn more in our latest blog. https://lnkd.in/gacyENSm
-
GitHub Security Lab reposted this
vulnz.ch's second edition will take place on Monday, April 20th at HeadsQuarter The Historic in Zurich. Peter will present GitHub Security Lab's AI-powered vulnerability scanning framework and I will cover defending AI agents with open source tooling. If you're into appsec, pentesting, vulnerability research, or anything in between, come join us! https://luma.com/ul9wg5o8
-
Who’s at VulnCon? Join Sophia Sanles-Luksetich and Zachary Goldman at CVE/FIRST VulnCon 2026 in Scottsdale, Arizona. Their talk, “Flipping the Criticality Funnel: A Practical Path to Real Prioritization”, covers how GitHub built a unified risk-scoring model that combines CVSS, EPSS, KEV, and asset context to cut through alert noise and drive remediation where it matters most. Date: April 15, 2026 | 11:35 AM–12:05 PM MST (UTC-7) Learn more: https://lnkd.in/gx-TTAP3
-
A zero-permission Android app could read every photo, video, voice note, and document in your Signal chats. Downloaded Signal apk directly from Signal.org? You were vulnerable. https://lnkd.in/g9ZbPgn2
-
GitHub Security Lab reposted this
I just published something I've been wanting to share for a while! Earlier this year, our team published a deep dive into open source vulnerability trends across 2025. But the data through December only told part of the story. In Q1 2026, private vulnerability reports submitted to maintainers on GitHub increased over 4x. The number of unique reporters doubled. The number of targeted repositories doubled. No single reporter, project, or organization is driving it - this is a systemic shift. Here's what surprised me most: despite the volume surge, CVE requests to our CNA nearly quadrupled and our assignment rate actually improved - from ~90% to ~93%. The increase isn't just noise. Real vulnerabilities are being found, disclosed, and published faster than ever. But the pressure on maintainers is real. Acceptance rates have dipped. Backlogs are growing. And the people who maintain the software the world runs on are absorbing more of the burden every quarter. I wrote up the full analysis - the data, the nuance, and what we're doing about it - in the article below. If you're a maintainer, a security researcher, or someone who cares about the sustainability of open source: I'd love to hear what you're seeing on your side. #opensource #cybersecurity #vulnerabilitymanagement
-
Hidden feature in Signal? Not for attackers! An attacker with no admin privileges can delete any message in a group! https://lnkd.in/gSnhs9Su https://lnkd.in/gB4qgCv2
-
Here are our March bug bounty stats! 🐛 380 bounty reports submitted 👩💻 260 hackers participated in our program 💰 Awarded $94,637 in bounties Found a vulnerability? Submit it here: https://t.co/HG2AqybW0p
-
Recent attacks on open source focus on exfiltrating secrets. In this post, Zach Steindler lists the prevention steps you can take today, and shares the security capabilities GitHub is working on to address this pattern. https://lnkd.in/gPtNnvJM
-
Reviewed advisories hit a four-year low, malware advisories surged, and CNA publishing grew—here’s what changed and what it means for your triage and response. Read Jonathan Evans's A year of open source vulnerability trends: CVEs, advisories, and malware https://lnkd.in/dGz5Yg5V
