GitHub Security Lab

📦 Security Track Spotlight: 👉Join Shelby Cunningham & Madison Oliver Ficorilli at #PyConUS 2026 for “Breaking Bad (Packages)” and learn why traditional vulnerability tracking struggles with supply chain attacks and what better approaches look like. https://lnkd.in/gvVEvEKA #security

Your mother tongue is the new programing language for creating exploits. For maintainer month, we took inspiration from #OpenClaw and built ProdBot! An intentionally vulnerable agent wired up with MCPs, skills, agentic workflows, and multi-agent capabilities. You will learn from it, while having fun! It runs in Codespaces, straight from your browser, in under two minutes. Play now at: gh.io/secure-code-game Learn more: https://lnkd.in/gacyENSm

On 25th April at 10AM, join Sylwia Budzynska for the workshop "Introduction to security research. Find a CVE with CodeQL" at the Linux Session organized by Akademickie Stowarzyszenie Informatyczne in Wroclaw, Poland! Learn security research and static analysis fundamentals when looking for vulnerabilities in software. Using an example CVE we’ll walk through how we could find the CVE, how CodeQL would detect it, and write a CodeQL query to find similar variants of the vulnerability at scale. Check out more information on the conference's website: https://linuksowa.pl/

Building with AI? 🤖 Then you won’t want to miss tomorrow’s Devoxx France 🏢 workshop with Xavier René-Corail and Joseph Katsioloudes — all about how to build robust AI-powered applications. Shall we play a Game? LLM Security in Practice https://lnkd.in/grbXk8dQ 📍 Paris 142 - Palais des Congrès, Porte Maillot, Paris 🗓️ April 22, 10.30am CET

Catch Shelby Cunningham on stage at CVE/FIRST VulnCon 2026 in Scottsdale, Arizona. Her panel, “Supply Chains and Malware Campaigns: Is CVE the Right Way to Name the Game?”, examines whether CVE is the right tool for tracking open-source supply chain compromises — from isolated package incidents to large-scale campaigns affecting hundreds of packages. Date: April 16, 2026 | 1:15–2:15 PM MST (UTC-7) Learn more: https://lnkd.in/g6YmzEVk

AI agents that execute commands, browse the web, and coordinate with other agents are everywhere. But how do you know they're safe? Season 4 of Github's Secure Code Game lets you find out by hacking one yourself. Free, hands-on, and you can get started in under 2 minutes! Learn more in our latest blog. https://lnkd.in/gacyENSm

vulnz.ch's second edition will take place on Monday, April 20th at HeadsQuarter The Historic in Zurich. Peter will present GitHub Security Lab's AI-powered vulnerability scanning framework and I will cover defending AI agents with open source tooling. If you're into appsec, pentesting, vulnerability research, or anything in between, come join us! https://luma.com/ul9wg5o8

Who’s at VulnCon? Join Sophia Sanles-Luksetich and Zachary Goldman at CVE/FIRST VulnCon 2026 in Scottsdale, Arizona. Their talk, “Flipping the Criticality Funnel: A Practical Path to Real Prioritization”, covers how GitHub built a unified risk-scoring model that combines CVSS, EPSS, KEV, and asset context to cut through alert noise and drive remediation where it matters most. Date: April 15, 2026 | 11:35 AM–12:05 PM MST (UTC-7) Learn more: https://lnkd.in/gx-TTAP3

A zero-permission Android app could read every photo, video, voice note, and document in your Signal chats. Downloaded Signal apk directly from Signal.org? You were vulnerable. https://lnkd.in/g9ZbPgn2