Learn how we triage security alerts in GitHub Actions and JavaScript projects with the new GitHub Security Lab Taskflow Agent, and leverage LLM to focus on the exploitable vulnerabilities. https://github.blog/security/ai-supported-vulnerability-triage-with-the-github-security-lab-taskflow-agent/

Excited to share our open source agentic framework for security research, a collaborative framework that lets the community share AI "taskflows”! Read @kevinbackhouse 's blog post for details and a demo. Join us in strengthening open-source security! https://github.blog/security/community-powered-security-with-ai-an-open-source-framework-for-security-research/

We wrapped up 2025 on a high note—here are the bug bounty stats for December!
✅ 151 bounty reports submitted
👥110 hackers participated in our program
💰Awarded $48,367 in bounties

Found a vulnerability? Submit it here: https://bounty.github.com.

Learn why some vulnerabilities resist to fuzzing and persist in long-enrolled OSS-Fuzz projects, and how you can find them!

https://github.blog/security/vulnerability-research/bugs-that-survive-the-heat-of-continuous-fuzzing/

In just 17 minutes, 📌 Jaroslav Lobačevski shares his knowledge about securing GitHub Actions, drawing from hands-on experience uncovering hundreds of real-world vulnerabilities.

Topics include:
• Best practices of using third party actions
• The security model of GitHub Actions: tokens and permissions, jobs isolation and secrets
• pull_request vs pull_request_target
• Common pitfalls that lead to Remote Code Execution (RCE): interpolation and environment injections, cache poisoning
• …and more

The talk wraps up with FREE tools to automate GitHub Actions security you can start using TODAY.

https://gh.io/secure-github-actions

GitHub Security Lab discovered a critical vulnerability in WooCommerce. We’d like to thank WooCommerce/Automattic for their incredibly quick response and fix of the vulnerability.

“A critical vulnerability was discovered in WooCommerce (versions 8.1 to 10.4.2) that, if exploited, could allow logged-in customers to access order details belonging to guest customers.”

If you are using WooCommerce, please update. For more info see WooCommerce’s blog post:
https://developer.woocommerce.com/2025/12/22/store-api-vulnerability-patched-in-woocommerce-8-1/

Learn what to do when your CodeQL database doesn't contain what you expect and how to use cvise to easily create a minimal reproducer in my newest blog post 🎉
https://intrigus.org/research/2025/11/28/what-to-do-when-codeql-database-creation-fails/

Hello Hackers! Here are our November bug bounty stats!
🐛146 bounty reports submitted
👩‍💻102 hackers participated in our program
💰Awarded $93,068 in bounties
Found a vulnerability? Submit it here: https://bounty.github.com/

Attending AI Native DevCon? Join @jkcso.bsky.social and discover practical ways to use AI for security through 14 live GitHub Copilot demos from secure coding, to supply chain decisions, to MCP servers.
📅 November 19, 11:40 AM EST

📍 Industry City, Kings County, NY + online
👉 ainativedev.io/devcon

Join us at @nerdearla to discover how GitHub secures the open source software we all rely on. From groundbreaking security research and education initiatives to free tools for open source and programs that have strengthened the security of hundreds of projects worldwide — we’re excited to share it all!

📅 November 14, 11 AM CET
📍 LaNaveMadrid + free online streaming
👉 nerdearla.es

🚀 GitHub is making Actions more secure by default

We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.

We’ve opened a discussion to gather feedback 👇

🔗 https://github.com/orgs/community/discussions/179107

Here are our October bug bounty stats!

🐛 162 bounty reports submitted
🎃 121 hackers participated in our program
💰 Awarded $78,968 in bounties

Found a vulnerability? Submit it here: https://bounty.github.com/

Building with AI? 🤖
Then you won’t want to miss tomorrow’s #GitHubUniverse workshop with Joseph Katsioloudes and Rahul Zhade — all about how to build secure LLM-powered applications.

📍 Fort Mason Center for Arts & Culture
🗓️ Oct 29, 1:15–2:45 PM PDT

🎉 It’s Friday at #EkoParty!
Join us at the GitHub booth at 15:30 for the GitHub Quiz 🧠
Test your security knowledge, win exclusive GitHub swag, grab some stickers, and chat with our experts!
👉 gh.io/eko

Aprende como usar LLMs para mejorar el proceso de fuzzing en la charla de @nosoynadiemas en #ekoparty2025

📅 Jueves, 23 Oct, 15:30 AST

👋 Hola Argentina! We’re thrilled to be at #EkoParty this week!

If you’re around, swing by the GitHub booth — grab some stickers, play our security games, and chat with our experts about all things open source & security.

See you there 👉 gh.io/eko

The internet was on fire. 🔥
One small library affecting billions of systems.
Log4Shell was the biggest security vulnerability of all time.

Now, Log4J maintainer, Christian Grobmeier tells us what it felt like inside the flames 👉 https://github.blog/open-source/inside-the-breach-that-broke-the-internet-the-untold-story-of-log4shell/

Are you in Warsaw for @thehacksummit ? Join Sylwia Budzynska for an introductory talk about security research, static analysis, and CodeQL: "From One Bug to Hundreds: Scaling Vulnerability Research with CodeQL"

📆 October 14, 11:20 CEST
Track: Security in Software Development & DevSecOps

Here are our September bug bounty stats!
✅ 166 bounty reports submitted
👥 120 hackers participated in our program
💰 Awarded $113,008 in bounties
Found a vulnerability? Submit it here: https://t.co/HG2AqybW0p.

⏱️ Maintainers, we know you don’t have time to research every security best practice. That’s why we’ve made it simple: in just 15 minutes, you can protect your project from vulnerabilities, secrets leaks, and exploits.

✅ No security expertise required
✅ Free for open source
✅ Quick wins with long-term impact

Protect your project now at gh.io/protect-your-project