The Open Source Software Security Summit: securing the world’s code together
My colleague Stormy Peters and I are proud to represent GitHub at the White House’s Open Source Software Security Summit.
January 13, 2022
Posts by
Mike Hanley
I'm the Chief Security Officer at GitHub. Prior to GitHub, I was the Vice President of Security at Duo Security, where I built and led the security research, development, and operations functions. After Duo’s acquisition by Cisco, I led the transformation of Cisco’s cloud security framework and later served as CISO for the company. When I'm not talking about security at GitHub, I can be found enjoying Ann Arbor, MI with my wife and seven kids.
GitHub’s commitment to npm ecosystem security
We're sharing details of recent incidents on the npm registry, our investigations, and how we’re continuing to invest in the security of npm.
November 15, 2021
GitHub security update: revoking weakly-generated SSH keys
On September 28, 2021, we received notice from the developer Axosoft regarding a vulnerability in a dependency of their popular git GUI client - GitKraken. An underlying issue with a dependency, called `keypair`, resulted in the GitKraken client generating weak SSH keys.
October 11, 2021
GitHub security update: Vulnerabilities in tar and @npmcli/arborist
Between July 21, 2021 and August 13, 2021 we received reports through one of our private security bug bounty programs from researchers regarding vulnerabilities in tar and @npmcli/arborist.
September 8, 2021
Securing your GitHub account with two-factor authentication
The benefits of multifactor authentication are widely documented, and there are a number of options for using 2FA on GitHub.
August 16, 2021
Updates to our policies regarding exploits, malware, and vulnerability research
One month ago, we started a discussion with the community about proposed revisions to clarify GitHub’s policies on security research, malware, and exploits with the goal to enable, welcome, and encourage dual-use security research and collaboration on GitHub. We want to thank the broader security research community, project maintainers, and developers who shared feedback with […]
June 4, 2021
A call for feedback on our policies around exploits and malware
April 30, 2021 update: Thank you to everyone who’s weighed in on the discussion so far. I’ve commented in the pull request to clarify a few points based on initial feedback. Keep the comments coming. We’re calling for feedback on our policy around security research, malware, and exploits on the platform so that the security […]
April 29, 2021
GitHub security update: A bug related to handling of authenticated sessions
Why did I get logged out of GitHub.com? On the evening of March 8, we invalidated all authenticated sessions on GitHub.com created prior to 12:03 UTC on March 8 out of an abundance of caution to protect users from an extremely rare, but potentially serious, security vulnerability affecting a very small number of GitHub.com sessions. […]
March 8, 2021
Hello from GitHub’s new Chief Security Officer
The world runs on software, and a large portion of it, especially the open source software that’s part of everything we experience, is built by millions of developers on GitHub every day. GitHub is heavily invested in both the security of the platform and helping developers shift left their security investments in building secure software. […]
February 24, 2021