GitHub launches ‘Security Lab’ to help secure open source ecosystem

Today, at the GitHub Universe developer conference, GitHub announced the launch of a new community program called Security Lab that brings together security researchers from different organizations to hunt and help fix bugs in popular open source projects.

“GitHub Security Lab’s mission is to inspire and enable the global security research community to secure the world’s code,” the company said in a press release.

“Our team will lead by example, dedicating full-time resources to finding and reporting vulnerabilities in critical open source projects,” it said.

Founding members include security researchers from organizations like Microsoft, Google, Intel, Mozilla, Oracle, Uber, VMWare, LinkedIn, J.P. Morgan, NCC Group, IOActive, F5, Trail of Bits, and HackerOne.

GitHub says Security Lab founding members have found, reported, and helped fix more than 100 security flaws already.

Other organizations, as well as individual security researchers, can also join. A bug bounty program with rewards of up to $3,000 is also available, to compensate bug hunters for the time they put into searching for vulnerabilities in open source projects.

Bug reports must contain a CodeQL query. CodeQL is a new open source tool that GitHub released today; a semantic code analysis engine that was designed to find different versions of the same vulnerability across vasts swaths of code. Besides GitHub, CodeQL is already being rolled out in other places to help with vulnerability code scans, such as Mozilla.

GitHub’s broader plan to improve security

GitHub’s new Security Lab project did not come out of the blue. Efforts have been going on at the company to improve the overall security state of the GitHub ecosystem for some time. Security Lab merges all these together.

For example, GitHub has been working for the past two years on rolling out security notifications that warn project maintainers about dependencies that contain security flaws.

Earlier this year, GitHub started testing a feature that would enable project authors to create “automated security updates.” When GitHub would detect a security flaw inside a project’s dependency, GitHub would automatically update the dependency and release a new project version on behalf of the project maintainer.

The feature has been in beta testing for all 2019, but starting today automated security updates are generally available and have been rolled out to every active repository with security alerts enabled. [Also see official announcement.]

Furthermore, GitHub also recently became an authorized CVE Numbering Authority (CNA), which means it can issue CVE identifiers for vulnerabilities. GitHub didn’t apply to become a CNA for nothing.

Its CNA capability has been added to a new service feature called “security advisories.” These are special entries in a project’s Issues Tracker where security flaws are handled in private.

Once a security flaw is fixed, the project owner can publish the security, and GitHub will warn all upstream project owners who are using vulnerable versions of the original maintainer’s code.

But before publishing a security advisory, project owners can also request and receive a CVE number for their project’s vulnerability directly from GitHub.

Previously, many open source project owners who hosted their projects on GitHub didn’t bother requesting a CVE number due to the arduous process.

However, getting CVE identifiers is crucial, as these IDs and additional details can be integrated into many other security tools that scan source code and projects for vulnerabilities, helping companies detect vulnerabilities in open sourcec tools that they would have normally missed.[Also see official announcement.]

And in addition to the new GitHub Security Lab, the code-sharing platform is also launching the GitHub Advisory Database, where it will collect all security advisories found on the platform, to make it easier for everyone to keep track of security flaws found in GitHub-hosted projects. [Also see official announcement.]

And last, but not least, GitHub also updated Token Scanning, its in-house service that can scan users’ projects for API keys and tokens that have been accidentally left inside their source code.

Starting today, the service, which previously could detect API tokens from 20 services, can identify four more formats, from GoCardless, HashiCorp, Postman, and Tencent. [Also see official announcement.]