Some of the biggest tech firms have joined forces to launch a community-led GitHub scheme in which researchers will hunt down and fix bugs in open-source projects.
The co-operative effort will see security researchers report new vulnerabilities in open source projects using GitHub's newly-developed CodeQL tool. This semantic code analysis engine will let users query code as if it were data, in order to find all variants of a discovered vulnerability, and then share findings with the wider community.
GitHub's Security Lab will also work to build tools to better secure code-bases, more effectively connect the wider security community, and bring developers together as well.
"GitHub's approach to security addresses the whole open source security lifecycle," said vice president for product management and security Jamie Cool.
"GitHub Security Lab will help identify and report vulnerabilities in open source software, while maintainers and developers use GitHub to create fixes, coordinate disclosure, and update dependent projects to a fixed version."
The initiative has launched as a 14-strong collaboration between F5 Networks, GitHub, Google, HackerOne, Intel, IOActive, JP Morgan, Microsoft, Mozilla, NCC Group, Okta, Trail of Bits, Uber and VMware.
The team behind Security Lab will dedicate full-time resources into finding and reporting vulnerabilities, and has already found more than 100 issues deemed serious enough to be issued with CVE categorisations.
The CodeQL tool, developed by GitHub, is also being made open-source, with users able to explore reams of open source code to find vulnerabilities, especially different versions of the same vulnerability that can otherwise be difficult to trace.
Developers are also being incentivised to contribute through a bug bounty programme which offers an award of up to $2,500, depending on the severity of the flaw and the quality of the submitted query.
GitHub's initiative is similar in nature to a host of other organisations that have been created in recent years to combat the rising tide of cyber crime, and bolster cyber security in general.
Microsoft, for example, is also a founding member of the CyberPeace Institute, which was established alongside Mastercard and the Hewlett Foundation in September to combat global cyber crime.
Mozilla, Intel and Red Hat among others were also part of a just freshly-launched initiative to make the software development process more secure. The Bytecode Alliance will be an open source community dedicated to creating secure software foundations.
-
LaunchDarkly to "double down" on observability with Highlight acquisitionNews Highlight's observability tools will be integrated into LaunchDarkly's Guarded Releases software deployment service
-
Samsung Galaxy Tab S10 FE reviewReviews The Tab S10 FE retains the feel and core capabilities of Samsung's high-end S10 tablets, but compromises on the display and the performance
-
Should your business start a bug bounty program?In-depth Big tech firms including Google, Apple and Microsoft offer bug bounty programs, but can they benefit smaller businesses too?
-
OpenAI to pay up to $20k in rewards through new bug bounty programNews The move follows a period of unrest over data security concerns
-
Windows 11 System Restore bug preventing users from accessing appsNews Microsoft has issued a series of workarounds for the issue which is affecting a range of apps including Office and Terminal
-
Windows 10 users encounter ‘blue screen of death’ after latest Patch Tuesday updateNews Microsoft said it is working on a fix for the issue and has offered users a temporary workaround
-
SpaceX bug bounty offers up to $25,000 per Starlink exploitNews The spacecraft manufacturer has offered white hats immunity to exploit a wide range of Starlink systems, with a dedicated report page
-
Microsoft announces lucrative new bug bounty awards for M365 products and servicesNews The new awards will focus on scenario-based weaknesses and offer bonuses of up to 30% for the most severe bugs
-
Adobe forced to patch its own failed security updateNews Company issues new fix for e-commerce vulnerability after researchers bypass the original update
-
Google doubles bug bounty rewards for Linux, Kubernetes exploitsNews The increased rewards are said to align better with the community's expectations of a bug bounty programme of this kind
