With Security Lab, GitHub has combined security experts from various organizations to find and eliminate bugs. “GitHub Security Lab’s mission is to inspire and enable the global security research community to secure the world’s code,” the company added in an accompanying press release. “Our team will lead by example, dedicating full-time resources to finding and reporting vulnerabilities in critical open source projects.” Among the companies joining Security Lab at launch include Microsoft, Intel, Google, Oracle, Mozilla, LinkedIn, VMWare, Uber, NCC Group, J.P. Morgan, IOActive, Trail of Bits, F5, and HackerOne. GitHub points out the Security Lab has already been successful. So far, founding members have contributed to fixes for over 100 bugs.
Addressing Security Flaws
Other companies are able to join the initiative, while GitHub is also urging individual security researchers to join in. To help entice those researchers, a $3,000 bounty program has been launched. “GitHub’s approach to security addresses the whole open source security lifecycle. Security Lab will help identify and report vulnerabilities in open source software, while maintainers and developers use GitHub to create fixes, coordinate disclosure, and update dependent projects to a fixed version.” GitHub says all bug reports must have CodeQL, the open source tool GitHub also unveiled today. CodeQL is a code analysis engine created to find vulnerabilities across large sections of code. Companies outside GitHub can adopt CodeQL in their systems.