In an initiative to make open-source software more secure, GitHub recently launched Security Lab — an effort to build a community of security researchers and an open coalition of the world’s security teams. Maintainers and developers of open source projects can now work together directly on GitHub to help ensure new vulnerabilities are only disclosed when maintainers are ready, and that developers can update to fixed versions quickly and easily.

The GitHub Security Lab research team is dedicated to working closely with the open-source community and with projects that are affected by vulnerabilities. The key reason for this is to protect users and ensure a responsible disclosure. 

Many prominent companies like F5, Google, HackerOne, Intel, IOActive, JP Morgan, LinkedIn, Microsoft, Mozilla, NCC Group, Okta, Trail of Bits, Uber and VMWare, among others, have come together as part of Security Lab. 

According to GitHub, there is a dire shortage of security professionals who have been outnumbered 500-to-1 by developers. That has been one of the main reasons from GitHub for why it created Security Lab.

The state of open source vulnerabilities is considered sub-standard. This is highlighted by the fact that 40% of newly discovered vulnerabilities in open source don’t have a CVE identifier at the time of disclosure, which means they’re not included in any public database. 70% of severe vulnerabilities lie unpatched 30 days after developers have been made aware of them. 

CodeQL- The Main Tool Behind GitHub Security Lab

GitHub Security Lab developed an industry-leading code analysis engine, CodeQL which is freely available for everyone to discover vulnerabilities in open source code. CodeQL is a solution plenty of security research teams around the world use to perform semantic analysis of code, and the Security Lab itself has deployed it to discover over 100 CVEs in some of the most famous open-source code. GitHub Security Lab researchers say it has found vulnerabilities in key, widely-used open source projects. 

To empower the research community, GitHub also made its state-of-the-art code analysis engine, CodeQL, free to use on open source. CodeQL allows users to query code as though it were data. This means that if users think there is a coding error that may have led to vulnerability, they can write a query to detect all variants of that code, thus getting rid of an entire class of vulnerabilities in a single shot. CodeQL technology came to GitHub when it acquired Semmle in September 2019. 

“We’re excited to have an initial set of partners that have all committed to achieving this goal. Together, we’re contributing tools, resources, bounties, and thousands of hours of security research to help secure the open-source ecosystem,” wrote Jamie Cool, VP of Product for Security at GitHub. “Securing the world’s open-source software is a daunting task,” Cool further stated.

GitHub CodeQL can only be used on codebases that are released under an OSI-approved open source license, or to perform academic research. It can’t be used for automated analysis, continuous integration or continuous delivery, whether as part of regular software engineering processes or otherwise. 

GitHub Security Lab Protocol For Vulnerability Disclosure

After finding the security flaws, it responsibly discloses those vulnerabilities to security teams at those projects. They only publish vulnerabilities after they’ve been announced by the affected projects’ development teams and patches are available.  

Security Lab has specified a disclosure deadline of 90 days for publicly disclosing a vulnerability post the initial report sent to the open-source project team, or 30 days after a project maintainer has published a code change that publicly addresses the vulnerability, whichever is sooner.

“When a vulnerability is identified in a project, we will report it by contacting the publicly-listed security contact for the project if one exists; otherwise, we will attempt to contact the project maintainers directly. If the project team responds and agrees the issue is security-critical, we will work with the project security team or maintainers to communicate the vulnerability in detail and agree on the process for public disclosure,” said a Security Lab team member. 

GitHub has also announced Security Advisories using which project maintainers can work with security researchers on security fixes in a private space, apply for a CVE directly from GitHub, and specify structured details about the vulnerability. GitHub Security Lab will put its efforts on identifying and reporting vulnerabilities in open-source software. Whereas maintainers and developers make use of GitHub to create fixes, coordinate on the disclosure, and update related projects. 

For getting started, GitHub Security Labs lets you execute real queries on open-source codebases using the CodeQL query console on LGTM.com and discover vulnerabilities in the codebase. You can also download and add a particular project’s CodeQL database to Visual Studio and run the query.