We just launched season three of the GitHub Secure Code Game, and this time we’re putting you face to face with the security risks introduced by artificial intelligence. Get ready to learn by doing and have fun doing it! https://github.blog/security/hack-the-model-build-ai-security-skills-with-the-github-secure-code-game/

Our team member Man Yue Mo is back, showing a new way to bypass MTE protection on Android phones with CVE-2025-0072. https://github.blog/security/vulnerability-research/bypassing-mte-with-cve-2025-0072/

🚀 Want to secure your code like a pro? Join us virtually to explore how developers can use #AI and #GitHubCopilot to build secure software—faster and smarter!

🕚 May 22, 10am GMT
📍 Online (FREE & LIVE!)

🔗 Save your spot now and forward to your peers: https://developer.microsoft.com/en-us/reactor/events/25422/

This What’s in the SOSS? podcast is a special #MaintainerMonth episode featuring GitHub’s Securing Open Source Software Fund—where training meets funding to help OSS projects scale security.

🎧 https://openssf.org/podcast/2025/05/13/whats-in-the-soss-podcast-30-s2e07-scaling-security-inside-the-github-securing-open-source-software-fund/

👉 https://maintainermonth.github.com/security-challenge

Season 3 of the GitHub Secure Code Game is coming — AI enters the chat 🤖🔥
Catchup with Season 1 and 2 at gh.io/secure-code-game

Here are our April bug bounty stats!
✅ 145 bounty reports submitted
👥 117 hackers participated in our program
💰 Awarded $36,535 in bounties

Found a vulnerability? Submit it here: https://bounty.github.com.

CodeQL analysis is now generally available for your GitHub Actions workflow files! Use automated code scanning and Copilot autofix to detect and remediate vulnerabilities in your CI/CD pipeline.
https://github.blog/changelog/2025-04-22-github-actions-workflow-security-analysis-with-codeql-is-now-generally-available/

Hello security researchers!
Sharing the GitHub March bug bounty stats!
🐛 198 bounty reports submitted
👩‍💻 135 hackers participated in our program
💰 Awarded $62,701 in bounties

Found a vulnerability on GitHub? Submit it here: http://bounty.github.com.

In our latest blogpost, learn how to identify which CVE Numbering Authority is responsible for the record, how to contact them, and what to include with your suggestion. https://github.blog/security/vulnerability-research/how-to-request-a-change-to-a-cve-record/

Are you in Athens for Devoxx Greece?
Don't miss @jkcso's talks on the main stage this Thursday and Friday! Discover how AI, Developer Experience (DevEx), and communities shape software security through real-world examples from securely building GitHub using GitHub 🔒

Thursday, April 10
- 11:00 – 11:30: "CVE Unmoored: Implications of the Removal of the Technology Requirement" by Jonathan Evans

Wednesday, April 9
- 09:00 – 09:30: "Breaking the Build: How Attackers Abuse GitHub Actions" by Jonathan Evans

Tuesday, April 8
- 15:00 – 16:00: "CNA Birds of a Feather: Open Forum with Certified Naming Authorities" by David Welch & Jonathan Evans
- 16:00 – 16:30: "Managing Coordinated Disclosures: A Practical Workshop on Vulnerability Coordination" by Jeffrey Guerra & Sara Clements
- 16:30 – 17:00: "Exploit Maturity: Your New Best Friend in CVSS" by Shelby Cunningham

Monday, April 7
- 12:30 – 13:00: "From NIST to FIRST: How GitHub’s Product Security Response Organization Transitioned" by Jeffrey Guerra & Sara Clements
- 14:30 – 15:30: "Vulnerability Poker: Real or AI Fake Vulnerabilities?" by Madison Oliver & Tobias Heldt

Join us next week at #VULNCON2025 in Raleigh, North Carolina, where we’ll have a strong presence with these exciting sessions 🧵

Learn how to set up CORS securely and avoid common pitfalls found in open-source software in our latest blog post! https://github.blog/security/application-security/localhost-dangers-cors-and-dns-rebinding/

Open source maintainers, did you receive your first vulnerability report? Don't panic! Handling vulnerability reports doesn’t have to be stressful. Read on to find out how you can tackle security issues efficiently and confidently with the right tools and approach. https://github.blog/security/vulnerability-research/a-maintainers-guide-to-vulnerability-disclosure-github-tools-to-make-it-simple/

If you are at the Linux Foundation Member Summit, don't miss Madison Oliver @taladrane talking with Brian Fox and CRob about "Consumption Complacency: Bridging the Gap Between Discovery and Remediation", at 2:45

In this demonstration I show the impact of CVE-2025-25291/CVE-2025-25292, an authentication bypass in ruby-saml used by high profile OSS projects such as GitLab. My team coordinated with both the ruby-saml maintainer and GitLab to get this vulnerability fixed and patches are available at https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released/

In this blog post, we detail newly discovered authentication bypass vulnerabilities in the ruby-saml library used for single sign-on (SSO) via SAML on the service provider (application) side. Users of ruby-saml should update immediately to version 1.18.0.

https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/