It seems that GitHub management is seriously thinking about software security. First there was a data warehouse in Svalbard and financial support for developers. And now the GitHub Security Lab initiative, which involves the participation of all interested specialists in improving the security of open source software.
F5, Google, HackerOne, Intel, IOActive, JP Morgan, LinkedIn, Microsoft, Mozilla, NCC Group, Oracle, Trail of Bits, Uber and VMWare are already participating in the initiative. Over the past two years, they have helped identify and eliminate 105 vulnerabilities in a number of projects.
Other participants were promised rewards of up to $3000 for identified vulnerabilities. The GitHub interface already has the ability to get the CVE identifier for an issue and create a report about it. A catalog of vulnerabilities has been launched , containing information about problems with applications hosted on GitHub, vulnerable packages, and so on.
In addition, updated protection has already been added to the system, which ensures that personal and confidential data, such as tokens, keys, and the like, do not end up in public repositories. Allegedly, the system automatically scans key formats from 20 services and cloud systems. If a problem is detected, a request is sent to the service provider to confirm the problem and revoke the compromised keys.
Note that GitHub was previously acquired by Microsoft. It seems that Redmond has decided to take data security seriously.
Source: 3dnews.ru