ICYMI: We're running a CTF until December 31st. Write a CodeQL query to find a specific class of DOM-based XSS vulns. The 2 best submissions will win Nintendo Switches, and 10 additional entries will receive coupons that can be used for GitHub Swag.

securitylab.github.com/ctf/jquery

We've just launched a new slack workspace for anyone interested in being part of the mission to secure the open source software we all depend on. ghsecuritylab.slack.com

If you'd like to receive an invitation to join the workspace, send us a DM with your email address.

Yesterday we had our first GitHub Security Meetup, with ligthning talks by Kev Antonio Morales Agustin Gianni and Abishek Arya (Google). But also with exciting discussions with security folks. Thanks to all attendees and others: stay tuned for the next one in January.

Learn how our security researcher Nico Waisman found wireless vulnerabilities in the Linux Kernel, and variants, thanks to CodeQL: securitylab.github.com/research/anato…

Want to challenge your vulnerability hunting skills? Try our latest Capture The Flag and discover XSS-unsafe jQuery plugins: securitylab.github.com/ctf/jquery

Check out the GitHub Security Lab bounty program! securitylab.github.com/bounties. Write a query, find bugs, get rewarded.

Welcome to the GitHub Security Lab GitHub Security Lab! Join us and contribute to secure the world's code! Visit securitylab.github.com

Want to learn more about QL and how you can use it to find variants of vulnerabilities in your code? Join us for our Semmle User Group this Wednesday night at Mozilla. See the event details for more information.

meetup.com/Semmle-San-Fra…

Semmle security researcher Kev discloses another integer overflow vulnerability in libssh2, which could potentially lead to information disclosure blog.semmle.com/libssh2-intege…

Wondering how Fermin J. Serna found 13 CVEs in U-boot? Watch his #BlackHat presentation 'Using One Exploitable Zero-Day to Eradicate an Entire Class of Vulnerabilities' on-demand: hubs.ly/H0l0c_V0

Is your code VUCA (Volatile, Uncertain, Complex, Ambiguous)? Let's see how the OODA Loops theory inspires our code review practices. hubs.ly/H0l0c_y0

Join us today for some Semmle fun and examples of finding vulnerabilities! Let's democratize security

In this video, Kev discusses the libssh2 integer overflows and out-of-bounds read he recently discovered. See how it can be triggered by connecting to a malicious ssh server hubs.ly/H0l094z0

Imagine if your dev team could have automated code review powered by security expertise? Tomorrow, join Oege de Moor and Fermin J. Serna to see how community-powered security can become a part of the developer’s workflow. hubs.ly/H0l092P0

Thanks for everyone that attend my QL workshop at #Ekoparty !
Here is some of the material covered during the workshop:
github.com/nicowaisman/QL…

Are unit tests really effective in preventing bugs? We analyzed over 50k LGTM projects in Java, Python, and Javascript to find out. hubs.ly/H0l17-D0

Now in beta! LGTM is supporting Golang and we have some projects that you can explore. Check them out and suggest others you'd like us to analyze. hubs.ly/H0l167w0

.Man Yue Mo takes a deep dive into past Android #deserialization vulnerabilities that exploited C++ pointers wrapped inside Java objects. hubs.ly/H0k_Nrz0

Un honor tener a Nico Waisman en la eko, esta vez con su workshop 'Cazando bugs con redes de pesca'. Aprendimos cómo modelar bugs para encontrar vulnerabilidades 🎣
.
Such an honor to have Nico Waisman at ekoparty, this time with his workshop 'Hunting bugs with fishing nets' 🎣

Imagine if your dev team could have automated code review powered by security expertise? Join Oege de Moor and Fermin J. Serna as they share their vision for community-powered secure development: hubs.ly/H0kZ9290