A zero-permission Android app could read every photo, video, voice note, and document in your Signal chats. Downloaded Signal apk directly from Signal.org? You were vulnerable. https://lnkd.in/g9ZbPgn2
About us
- Website
-
https://securitylab.github.com
External link for GitHub Security Lab
- Industry
- Software Development
Updates
-
GitHub Security Lab reposted this
I just published something I've been wanting to share for a while! Earlier this year, our team published a deep dive into open source vulnerability trends across 2025. But the data through December only told part of the story. In Q1 2026, private vulnerability reports submitted to maintainers on GitHub increased over 4x. The number of unique reporters doubled. The number of targeted repositories doubled. No single reporter, project, or organization is driving it - this is a systemic shift. Here's what surprised me most: despite the volume surge, CVE requests to our CNA nearly quadrupled and our assignment rate actually improved - from ~90% to ~93%. The increase isn't just noise. Real vulnerabilities are being found, disclosed, and published faster than ever. But the pressure on maintainers is real. Acceptance rates have dipped. Backlogs are growing. And the people who maintain the software the world runs on are absorbing more of the burden every quarter. I wrote up the full analysis - the data, the nuance, and what we're doing about it - in the article below. If you're a maintainer, a security researcher, or someone who cares about the sustainability of open source: I'd love to hear what you're seeing on your side. #opensource #cybersecurity #vulnerabilitymanagement
-
Hidden feature in Signal? Not for attackers! An attacker with no admin privileges can delete any message in a group! https://lnkd.in/gSnhs9Su https://lnkd.in/gB4qgCv2
-
Here are our March bug bounty stats! 🐛 380 bounty reports submitted 👩💻 260 hackers participated in our program 💰 Awarded $94,637 in bounties Found a vulnerability? Submit it here: https://t.co/HG2AqybW0p
-
Recent attacks on open source focus on exfiltrating secrets. In this post, Zach Steindler lists the prevention steps you can take today, and shares the security capabilities GitHub is working on to address this pattern. https://lnkd.in/gPtNnvJM
-
Reviewed advisories hit a four-year low, malware advisories surged, and CNA publishing grew—here’s what changed and what it means for your triage and response. Read Jonathan Evans's A year of open source vulnerability trends: CVEs, advisories, and malware https://lnkd.in/dGz5Yg5V
-
Software supply chain attacks are on the rise. Learn how open source contributors can use what GitHub Actions is building to help protect projects and the broader software community. https://lnkd.in/gc5fpBe3
-
At GitHub, we believe supporting open source means more than hosting code. It means investing in the people who maintain it, giving them the tools they need to succeed, and standing with them as the ecosystem evolves rapidly in the AI era. Open source maintainers deserve better support and security, and we’re listening and investing. https://lnkd.in/gJZPSUiq
-
GitHub Security Lab reposted this
How to scan for vulnerabilities with GitHub Security Lab’s open source AI-powered framework Link to blog post: https://lnkd.in/eCufH4ZN To run the tool: 1. Start a codespace on https://lnkd.in/eEjsmhN7 2. Wait a few minutes for the codespace to initialize 3. In the terminal, run ./scripts/audit/run_audit.sh myorg/myrepo A GitHub Copilot license is required. You may be eligible for free access if you're a student, teacher, or maintainer: https://lnkd.in/eryTv8yW
