Nine years of the GitHub Security Bug Bounty program
It was another record year for our Security Bug Bounty program! We’re excited to highlight some achievements we’ve made together with the bounty community in 2022!

The post Nine years of the GitHub Security Bug Bounty program appeared first on The GitHub Blog. ⌘ Read more

Four tips to keep your GitHub Actions workflows secure
Researchers from Purdue and NCSU have found a large number of command injection vulnerabilities in the workflows of projects on GitHub. Follow these four tips to keep your GitHub Actions workflows secure.

The post Four tips to keep your GitHub Actions workflows secure appeared first on The GitHub Blog. ⌘ Read more

Container Security and Why It Matters
Container security is the process of using relevant toolings to protect your images from malware and vulnerabilities.

We look at security for containers in a scalable environment and how Docker can help. ⌘ Read more

Closing vulnerabilities in Decidim, a Ruby-based citizen participation platform
This blog post describes two security vulnerabilities in Decidim, a digital platform for citizen participation. Both vulnerabilities were addressed by the Decidim team with corresponding update releases for the supported versions in May 2023. ⌘ Read more

Isode: Cobalt 1.4 – New Capabilities
Cobalt proides a web interface for provisioning users and roles in an LDAP directory. It enables the easy deployment of XMPP, Email and Military Messaging systems.

Image

Listed below are the changes brought in with 1.4.

Cobalt is Isode’s tool for managing PKCS#11 Hardware Security Modules (HSM) which may be used to provide improved server security by protecti … ⌘ Read more

Security alert: social engineering campaign targets technology industry employees
GitHub has identified a low-volume social engineering campaign that targets the personal accounts of employees of technology firms. No GitHub or npm systems were compromised in this campaign. We’re publishing this blog post as a warning for our customers to prevent exploitation by this threat actor. ⌘ Read more

Introducing passwordless authentication on GitHub.com
Passkeys are now available in public beta. Opting in lets you upgrade security keys to passkeys, and use those in place of both your password and your 2FA method. ⌘ Read more

Introducing passwordless authentication on GitHub.com
Passkeys are now available in public beta. Opting in lets you upgrade security keys to passkeys, and use those in place of both your password and your 2FA method. ⌘ Read more

GitHub achieves ISO/IEC 27701:2019, 27018:2019, and CSA STAR certifications
GitHub’s Information Security and Privacy Management System (ISPMS) has been certified against ISO/IEC 27701:2019 (PII Processor) and 27018:2019 standards, as well as the Cloud Controls Matrix (CCM). These standards and frameworks are internationally recognized for security and privacy program best practices. ⌘ Read more

Introduction to SELinux
SELinux is the most popular Linux Security Module used to isolate and protect system components from one another. Learn about different access control systems and Linux security as I introduce the foundations of a popular type system. ⌘ Read more

What Is The Biggest National Security Consideration of Quantum Computing? 😳 ⌘ Read more

Isode: Harrier 3.3 – New Capabilities
Harrier is our Military Messaging client. It provides a modern, secure web UI that supports SMTP, STANAG 4406 and ACP 127. Harrier allows authorised users to access role-based mailboxes and respond as a role within an organisation rather than as an individual.

![Harrier Inbox view (behind) showing Military Messaging security label and priority parameters; and Message view (in front).](https://www.isode.com/company/wordpress/wp-content/uploads/2023/06/Harrier-M … ⌘ Read more

New tool to secure your GitHub Actions
Introducing a new tool to monitor and control the permissions of the repository token for GitHub Actions. ⌘ Read more

CodeQL zero to hero part 2: getting started with CodeQL
Learn the basics of CodeQL and how to use it for security research! In this blog, we will teach you how to leverage GitHub’s static analysis tool CodeQL to write custom CodeQL queries. ⌘ Read more

GitHub’s revamped VIP Bug Bounty Program
GitHub’s VIP Bug Bounty Program has been updated to include a clear and accessible criteria for receiving an invitation to the program and more. Learn more about the program and how you can become a Hacktocat, and join our community of researchers who are contributing to GitHub’s security with fun perks and access to staff and beta features! ⌘ Read more

Erlang Solutions: Sign up for the RabbitMQ Summit Waiting List
Mark your calendars! The Very Early Bird tickets for the RabbitMQ Summit are set to open on 15th June, 2023. In joining the waiting list, you will receive exclusive access to the conference’s best-priced tickets.

This is your chance to secure your spot at the RabbitMQ Summit at a discounted rate, allowing you to make the most of this incredible learning and networking … ⌘ Read more

Asleep at the Keyboard? Assessing the
Security of GitHub Copilot’s Code Contributions

40% of code produced by GitHub Copilot has at least one well-known security vulnerability, in the test reported in this paper.

Swift support brings broader mobile application security to GitHub Advanced Security
We’ve launched the beta of code scanning support for Swift. This launch, paired with our launch of Kotlin support in November, means that CodeQL covers both IOS and Android development languages, bringing a heightened level of security to the mobile application development process. ⌘ Read more

NixOS 23.05 released

Image

Hey everyone, we are Ryan Lahfa and Martin Weinelt,
the release managers for this stable release and we are very proud to announce the public availability of NixOS 23.05 “Stoat”.

This release will receive bugfixes and security updates for seven months (up until 2023-12-31).

… ⌘ Read more

Ignite Realtime Blog: CVE-2023-32315: Openfire Administration Console authentication bypass
We’ve had an important security issue reported that affects all recent versions of Openfire. We’ve fixed it in the newly published 4.6.8 and 4.7.5 releases. We recommend people upgrade as soon as possible. More info, including mitigati … ⌘ Read more

Ignite Realtime Blog: Openfire 4.7.5 Release
The Ignite Realtime Community is happy to announce the 4.7.5 release of Openfire!

This release primarily addresses the issue that is subject of security advisory CVE-2023-32315, but also pulls in a number of improvements and bugfixes

You can find download artifacts [available here](https://ignit … ⌘ Read more

Ignite Realtime Blog: Openfire 4.6.8 Release
The Ignite Realtime Community is happy to announce the 4.6.8 release of Openfire!

We have made available a new release of this older version to addresses the issue that is subject of security advisory CVE-2023-32315.

We are aware that for some, the process of deploying a new major version of Openfire is not a trivial matter, as it may encompass a lot more than only pe … ⌘ Read more

Announcing the public preview of GitHub Advanced Security for Azure DevOps
GitHub Advanced Security for Azure DevOps is now available for public preview, making GitHub’s same application security testing tools natively available on Azure Repos. ⌘ Read more

Metadata from a single picture can destroy your privacy
What someone can learn from your Image EXIF Metadata, and how to secure your photos ⌘ Read more

My desktop computer developed a really annoying vibration-induced buzzing sound a few months ago after I added some hard drives to it. It was one of these where it’d be more or less quiet, and then all of a sudden a buzzing would start. If you tapped the case, it often made the buzzing stop.

One by one I went through my components, and the day before yesterday I finally identified the guilty party, one particular HDD. Currently I have the case open and a piece of cardboard jammed under the drive in its tray. The computer has not buzzed since I did that, so it looks to me like securing that drive better will finally end this madness-inducing sound.

Wild that it takes so long to track down something like this and figure out what to do about it.

Manage your application security stack effectively with the tool status page
Code scanning’s tool status gives you a bird’s eye view of your application security stack, allowing you to quickly confirm everything is working, or troubleshoot any tool in your application security arsenal. ⌘ Read more

Git security vulnerabilities announced
A new set of Git releases were published to address a variety of security vulnerabilities. All users are encouraged to upgrade. Take a look at GitHub’s view of the latest round of releases. ⌘ Read more

Tillitis TKey
The Tillitis TKey, which I first wrote about in September last year,
is now available for sale at the the Tillitis webshop.

The TKey is a small bare-bones RISC-V computer in a USB stick form
factor with no persistent storage that measures apps uploaded to it
and derives a deterministic secret every time the same app is started.
You can use it, for instance, as a security token to keep your private
key and do signing operations. Everyt … ⌘ Read more

Private vulnerability reporting now generally available
Open source maintainers and security researchers embrace a new best practice to report and fix vulnerabilities. ⌘ Read more

Ensuring compliance in developer workflows
How GitHub Enterprise ensures secure and compliant developer workflows for highly regulated industries. ⌘ Read more

TestArticle_11Apr23
security patching  going on ⌘ Read more

Changes restricting international students’ working hours have farmers worried as workforce crisis continues
Workforce uncertainty in the face of the cap has left farmers grappling to secure farm hands, with one Tasmanian strawberry farmer halting a $10 million expansion plan. ⌘ Read more

Pwning Pixel 6 with a leftover patch
In this post, I’ll look at a security-related change in version r40p0 of the Arm Mali driver that was AWOL in the January update of the Pixel bulletin, where other patches from r40p0 was applied, and how these two lines of changes can be exploited to gain arbitrary kernel code execution and root from a malicious app. This highlights how treacherous it can be when backporting security changes. ⌘ Read more

Bring your enterprise together with enterprise accounts for all
With enterprise accounts for all, your organization can take advantage of all that GitHub Enterprise has to offer, from GitHub Actions and GitHub Advanced Security, to Copilot. ⌘ Read more

Level up monitoring and reporting for your enterprise
A high-quality audit log is an essential tool for enterprises to ensure compliance, maintain security, investigate issues, and promote accountability. ⌘ Read more

CodeQL zero to hero part 1: the fundamentals of static analysis for vulnerability research
Learn more about static analysis and how to use it for security research!
In this blog post series, we will take a closer look at static analysis concepts, present GitHub’s static analysis tool CodeQL, and teach you how to leverage static analysis for security research by writing custom CodeQL queries. ⌘ Read more

GitHub Galaxy 2023: Empower developer teams with a new developer experience
Learn how GitHub’s one, integrated platform–powered by AI and secure at every step—helps developer teams be more productive, collaborative, and efficient. ⌘ Read more

We updated our RSA SSH host key
At approximately 05:00 UTC on March 24, out of an abundance of caution, we replaced our RSA SSH host key used to secure Git operations for GitHub.com. ⌘ Read more

Build a secure code mindset with the GitHub Secure Code Game
Writing secure code is as much of an art as writing functional code, and it is the only way to write quality code. Learn how our Secure Code Game can provide you with hands-on training to spot and fix security issues in your code so that you can build a secure code mindset. ⌘ Read more

Introducing GitHub vulnerability management integrations for security professionals
Learn about using GitHub Advanced Security alerts with vulnerability management tools. Check out the integrations and learn about how to get started. ⌘ Read more

Don’t leave developers behind in the Section 230 debate
Developers are at the heart of our online world and at the forefront of creating solutions for global challenges, working to make the software that underpins our digital infrastructure more secure, reliable, and safe. ⌘ Read more

How GitHub accelerates development for embedded systems
In a world where software and hardware is ubiquitous, GitHub can help enable secure development for mission-critical embedded systems. ⌘ Read more

Raising the bar for software security: GitHub 2FA begins March 13
On March 13, we will officially begin rolling out our initiative to require all developers who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023. Read on to learn about what the process entails and how you can help secure the software supply chain with 2FA. ⌘ Read more

Multi-repository variant analysis: a powerful new way to perform security research across GitHub
Multi-repository variant analysis lets you scale security research across thousands of repositories, giving you a powerful tool to find and respond to newly discovered vulnerabilities. ⌘ Read more

Application security orchestration with GitHub Advanced Security
Learn how teams can leverage the power of GitHub Advanced Security’s code scanning and GitHub Actions to integrate the right security testing tools at the right time. ⌘ Read more

GitHub Galaxy 2023: your guide to building a more flexible and productive software development cycle
Join us virtually on March 28-31 for GitHub Galaxy, a global enterprise event focused on improving efficiency, security, and developer productivity. ⌘ Read more

GitHub Enterprise Server 3.8 is now generally available
With updates to GitHub Actions, repositories, and GitHub Advanced Security, this new version of GitHub Enterprise Server is focused on bringing the best developer experience to companies. ⌘ Read more

GitHub Security Lab audited DataHub: Here’s what they found
The GitHub Security Lab audited DataHub, an open source metadata platform, and discovered several vulnerabilities in the platform’s authentication and authorization modules. These vulnerabilities could have enabled an attacker to bypass authentication and gain access to sensitive data stored on the platform. ⌘ Read more

**RT by @mind_booster: 4/8 Joachim Türk of the German Child Protection Association, said that #ChatControl is “a deep intrusion into the fundamental right of freedom of communication” also of children.

🚨No one can be protected by making the internet less secure. Read more at https://stopscanningme.eu/en/**
4/8 Joachim Türk of the German Child Protection Association, said that #ChatControl is “a deep intrusion into the fundamental right of freedom of communication” also of … ⌘ Read more

How to build a consistent workflow for development and operations teams
Explore how using GitHub and HashiCorp together enables enterprises to develop and ship to their customers faster and more secure with consistent workflows and actions. ⌘ Read more