GitHub with the initiative , aimed at organizing joint work of security experts from various companies and organizations to identify vulnerabilities and assist in their elimination in the code of open source projects.
All interested companies and individual computer security specialists are invited to join the initiative. For identifying vulnerabilities remuneration up to $3000, depending on the severity of the problem and the quality of the report. It is suggested to use the toolkit to submit information about problems. , which allows you to generate a vulnerable code template to detect the presence of a similar vulnerability in the code of other projects (CodeQL makes it possible to conduct semantic code analysis and generate queries to search for certain constructs).
Security researchers from F5, Google, HackerOne, Intel, IOActive, JP Morgan, LinkedIn, Microsoft, Mozilla, NCC Group, Oracle, Trail of Bits, Uber and
VMWare, which over the past two years ΠΈ 105 vulnerabilities in projects such as Chromium, libssh2, Linux kernel, Memcached, UBoot, VLC, Apport, HHVM, Exiv2, FFmpeg, Fizz, libav, Ansible, npm, XNU, Ghostscript, Icecast, Apache Struts, strongSwan, Apache Ignite, rsyslog, Apache Geode and Hadoop.
The GitHub code security lifecycle implies that GitHub Security Lab members will identify vulnerabilities, after which problems will be reported to maintainers and developers who will develop fixes, agree on the time of disclosure of information about the problem and inform dependent projects about the need to install the version with the elimination of the vulnerability. CodeQL templates will be placed in the database to prevent the reappearance of fixed problems in the code present on GitHub.
Through the GitHub interface, you can now CVE ID for the identified issue and prepare a report, and GitHub itself will send out the necessary notifications and organize their coordinated fix. Moreover, once the issue is fixed, GitHub will automatically issue pull requests to update the dependencies associated with the affected project.
GitHub has also added a catalog of vulnerabilities to the list , which publishes information about vulnerabilities affecting projects on GitHub and information for tracking affected packages and repositories. CVE identifiers mentioned in comments on GitHub now automatically refer to detailed information about the vulnerability in the presented database. To automate work with the database, a separate .
An update has also been announced. to protect against to publicly available repositories
sensitive data such as authentication tokens and access keys. During a commit, the scanner checks the generic key and token formats used , including the Alibaba Cloud API, Amazon Web Services (AWS), Azure, Google Cloud, Slack, and Stripe. If a token is detected, a request is sent to the service provider to confirm the leak and revoke the compromised tokens. Since yesterday, in addition to previously supported formats, support for defining GoCardless, HashiCorp, Postman and Tencent tokens has been added.
Source: opennet.ru