Itpa webheader

GitHub on mission to secure the world's open source software

Monday, 18 November, 2019

GitHub on mission to secure the world's open source software

Securing the world’s open source software is a formidable mission… and one that GitHub has chosen to accept.

On 14 November, the hosting giant launched GitHub Security Lab — a platform designed to empower people to secure open source code.

Through the platform, participants can access GitHub’s analysis engine, CodeQL, which helps users find and eradicate vulnerability-causing code, as well as “thousands of hours of security research”, according to a blog post by GitHub’s Vice President of Product Management, Security, Jamie Cool.

Users can also earn bounties of up to US$3000 for writing new CodeQL queries that find multiple, or a class of, vulnerabilities in open source code with high precision.

Cool said these tools would help the Lab’s security researchers, maintainers and partner companies — such as Google, Intel, Microsoft and VMWare — fight challenges of scale, expertise and coordination.

“The JavaScript ecosystem alone has over one million open source packages. Then there’s the shortage of security expertise: security professionals are outnumbered 500 to one by developers. Finally there’s coordination: the world’s security experts are spread across thousands of companies,” he said.

Lab researchers have already found and published 105 common vulnerabilities and exposures (CVEs), according to the site.

As more vulnerabilities are discovered, participants and end users will “need better tools to handle them”, Cool said.

Currently, “Forty percent of new vulnerabilities in open source don’t have a CVE identifier when they’re announced, meaning they’re not included in any public database. Seventy percent of critical vulnerabilities remain unpatched 30 days after developers have been notified,” he said.

GitHub expects the Lab to help improve responses to newly discovered vulnerabilities by ensuring they are only announced when maintainers have fixed affected code and developers can quickly update affected software.

Lab intends to boost project participation through events and sharing of best practices.

Image credit: ©

Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to

Related News

Cryogenic chip step towards viable quantum computers

Inrel's new cryogenic control chip could bring us closer to a practical, commercially viable...

ITPA member survey — please participate!

We want your help to improve our member services, so please take two minutes to fill in our short...

Microsoft names next Windows 10 feature update

The company has released the Windows 10 Insider Preview Build 19033 in both the fast and slow...

  • All content Copyright © 2019 Westwick-Farrow Pty Ltd