Security News

HackerOne announced a new workflow automation integration with GitHub that enables the tracking and synchronization of high-priority vulnerability reports between HackerOne and GitHub. HackerOne is making its debut on GitHub's Marketplace.

GitHub this week disclosed the details of an easy-to-exploit Linux vulnerability that can be leveraged to escalate privileges to root on the targeted system. The flaw, classified as high severity and tracked as CVE-2021-3560, impacts polkit, an authorization service that is present by default in many Linux distributions.

GitHub this week announced that it has started scanning code hosted on its platform for package registry credentials, including RubyGems and PyPI secrets. The scanning is performed via GitHub secret scanning, a service meant to identify exposed secrets in pushes to repositories.

GitHub has recently expanded its secrets scanning capabilities to repositories containing PyPI and RubyGems registry secrets. The move helps protect millions of applications built by Ruby and Python developers who may inadvertently be committing secrets and credentials to their public GitHub repos.

Code hosting platform GitHub says it has updated its policies regarding vulnerability research, malware, and exploits, to permit dual-use security research. Previously, the policies could be considered hostile toward projects with dual-use content, but the updated guidelines aim to make it clear that GitHub "Enables, welcomes, and encourages" dual-use security research - i.e. research that can be used for both good and bad purposes.

Soon after uploading the exploit, Jang received an email from Microsoft-owned GitHub stating that PoC exploit was removed as it violated the Acceptable Use Policies. GitHub faced immediate backlash from security researchers who felt that GitHub was policing the disclosure of legitimate security research simply because it was affecting a Microsoft product.

Code-hosting platform GitHub Friday officially announced a series of updates to the site's policies that delve into how the company deals with malware and exploit code uploaded to its service. Stating that it will not allow the use of GitHub in direct support of unlawful attacks or malware campaigns that cause technical harm, the company said it may take steps to disrupt ongoing attacks that leverage the platform as an exploit or a malware content delivery network.

IT pro Rob Dyke says an NHS-backed company not only threatened him with legal action after he flagged up an exposed GitHub repository containing credentials and insecure code, it even called the police on him. What happened next united infosec professionals across the world as well as triggering a crowdfundraiser and a behind-the-scenes legal war: we're told Apperta sent Dyke legal demands, and followed those up by alleging to the cops that he broke Britain's computer security laws.

GitHub, the ubiquitous host for software development and version control, is now supporting security keys when using Git over SSH. In a post on Monday, GitHub security engineer Kevin Jones said that this is the next step when it comes to increasing security and usability. These security keys, which include YubiKey, Thetis Fido U2F Security Key and Google Titan Security Keys, are easy to pop into your pocket and cart around between machines, with most connecting via USB, NFC or Bluetooth.

GitHub has added support for securing SSH Git operations using FIDO2 security keys for added protection from account takeover attempts. "Once generated, you add these new keys to your account just like any other SSH key," GitHub Senior Security Engineer Kevin Jones said.