GitHub on mission to secure the world's open source software

Monday, 18 November, 2019

GitHub on mission to secure the world's open source software

Securing the world’s open source software is a formidable mission… and one that GitHub has chosen to accept.

On 14 November, the hosting giant launched GitHub Security Lab — a platform designed to empower people to secure open source code.

Through the platform, participants can access GitHub’s analysis engine, CodeQL, which helps users find and eradicate vulnerability-causing code, as well as “thousands of hours of security research”, according to a blog post by GitHub’s Vice President of Product Management, Security, Jamie Cool.

Users can also earn bounties of up to US$3000 for writing new CodeQL queries that find multiple, or a class of, vulnerabilities in open source code with high precision.

Cool said these tools would help the Lab’s security researchers, maintainers and partner companies — such as Google, Intel, Microsoft and VMWare — fight challenges of scale, expertise and coordination.

“The JavaScript ecosystem alone has over one million open source packages. Then there’s the shortage of security expertise: security professionals are outnumbered 500 to one by developers. Finally there’s coordination: the world’s security experts are spread across thousands of companies,” he said.

Lab researchers have already found and published 105 common vulnerabilities and exposures (CVEs), according to the site.

As more vulnerabilities are discovered, participants and end users will “need better tools to handle them”, Cool said.

Currently, “Forty percent of new vulnerabilities in open source don’t have a CVE identifier when they’re announced, meaning they’re not included in any public database. Seventy percent of critical vulnerabilities remain unpatched 30 days after developers have been notified,” he said.

GitHub expects the Lab to help improve responses to newly discovered vulnerabilities by ensuring they are only announced when maintainers have fixed affected code and developers can quickly update affected software.

Lab intends to boost project participation through events and sharing of best practices.

Image credit: ©

Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to

Related News

Govt unveils code of practice to boost IoT security

The Australian Government has released a code of practice for IoT devices like smart televisions...

Career opportunities booming in RPA

UiPath has revealed that the COVID-19 pandemic has increased demand for robotic process...

Magento 1 still in wide use despite reaching end of life

Adobe has issued the final patches for version 1 of the popular e-commerce platform Magento, but...

  • All content Copyright © 2020 Westwick-Farrow Pty Ltd