The latest on vulnerability research

The world's largest developer platform

Docs

Everything you need to master GitHub, all in one place.

Go to Docs

GitHub

Build what's next on GitHub, the place for anyone from anywhere to build anything.

Start building

Customer stories

Meet the companies and engineering teams that build with GitHub.

Learn more

GitHub Universe 2026

Join us October 28-29 in San Francisco or online for GitHub Universe, our flagship developer event uniting people, agents, and the world's code.

Vulnerability research

Dedicated to advancing the understanding and detection of software vulnerabilities—and explaining the latest vulnerability research from the GitHub Security Lab . Go behind the scenes with the GitHub Security Lab, a collaborative initiative that brings together security researchers, developers, and organizations to find and fix security vulnerabilities in open source software.

Featured

Bugs that survive the heat of continuous fuzzing

Learn why some long-enrolled OSS-Fuzz projects still contain vulnerabilities and how you can find them.

Antonio MoralesDecember 29, 2025

Top security researcher shares their bug bounty process
For this year’s Cybersecurity Awareness Month, the GitHub Bug Bounty team is excited to put the spotlight on a talented security researcher—André Storfjord Kristiansen!Shilpa KumariOctober 22, 2025
Learn more
How a top bug bounty researcher got their start in security
For this year’s Cybersecurity Awareness Month, the GitHub Bug Bounty team is excited to feature another spotlight on a talented security researcher — @xiridium!Shilpa KumariOctober 7, 2025
Learn more
CodeQL zero to hero part 5: Debugging queries
Learn to debug and fix your CodeQL queries.Sylwia BudzynskaSeptember 29, 2025
Learn more

We do newsletters, too

Discover tips, technical guides, and best practices in our biweekly newsletter just for devs.

Latest

Kicking off Cybersecurity Awareness Month 2025: Researcher spotlights and enhanced incentives
For this year’s Cybersecurity Awareness Month, GitHub’s Bug Bounty team is excited to offer some additional incentives to security researchers!Shilpa KumariSeptember 26, 2025
Learn more
Safeguarding VS Code against prompt injections
When a chat conversation is poisoned by indirect prompt injection, it can result in the exposure of GitHub tokens, confidential files, or even the execution of arbitrary code without the user’s explicit consent. In this blog post, we’ll explain which VS Code features may reduce these risks.Michael StepankinAugust 25, 2025
Learn more
How to catch GitHub Actions workflow injections before attackers do
Strengthen your repositories against actions workflow injections — one of the most common vulnerabilities.Dylan BirtoloJuly 16, 2025
Learn more
CVE-2025-53367: An exploitable out-of-bounds write in DjVuLibre
DjVuLibre has a vulnerability that could enable an attacker to gain code execution on a Linux Desktop system when the user tries to open a crafted document.Kevin Backhouse, Antonio MoralesJuly 3, 2025
Learn more
Bypassing MTE with CVE-2025-0072
In this post, I’ll look at CVE-2025-0072, a vulnerability in the Arm Mali GPU, and show how it can be exploited to gain kernel code execution even when Memory Tagging Extension (MTE) is enabled.Man Yue MoMay 23, 2025
Learn more
How to request a change to a CVE record
Learn how to identify which CVE Numbering Authority is responsible for the record, how to contact them, and what to include with your suggestion.Shelby CunninghamApril 9, 2025
Learn more