Everbest

We now provide Linux arm64 hosted runners free for all public repos. 40% performance boost. 🚀 github.blog/changelog/2025…

🎉 Excited to announce the launch of CodeQL Community Packs for Security teams and researchers! 🚀 Supercharge your code analysis with new Query, Model, and Library packs, to find more vulnerabilities, accelerate codebases audit, and secure code effortlessly. github.blog/security/vulne…

Probably my last CVE for the year: JWT Algorithm Confusion in a C library... github.com/xmidt-org/cjwt…

@never_released You guys have MTE? 🥲

How useful is PAC when you have MTE?

@pwntester @GHSecurityLab It was great to work with you & we will miss you for sure! May the force be with you

After an amazing journey, this is my last week at GitHub. It’s been an incredible 5 years working alongside the talented team at @GHSecurityLab. Grateful for the experiences, collaborations, and the amazing culture I’ve been a part of. On to the next adventure!

29 new vulnerabilities found in GStreamer by @nosoynadiemas! Click to learn how to improve fuzzing results with custom generators. github.blog/security/vulne…

Find and fix Actions workflows vulnerabilities with CodeQL (Public Preview) github.blog/changelog/2024…

I just published a new blog post sharing an improved Deserialization Gadget Chain for Ruby! It builds on the work of others, including Leonardo Giovanni, Peter Stöckli @GHSecurityLab and @wcbowling nastystereo.com/security/ruby-…

@never_released Still waiting for Snapdragon to add MTE support.

And if you want SVE2, do _not_ buy a Snapdragon device. Even for devices where it's present in the CPU core, it's not exposed at the hypervisor level to the HLOS.

Want to learn how to secure your browser extensions? Read our latest blog post where we talk about the security model of browser extensions and how developers can keep them secure. github.blog/security/vulne…

@InternSec @Agarri_FR @bluesky There‘s such a list for the Fediverse 😉 @LukaszOlejnik/109295817947521568" target="_blank" rel="nofollow noopener">mastodon.social/@LukaszOlejnik…

@Agarri_FR @bluesky Is there a follow list going around for those of us migrating?

The density and diversity of infosec people on @bluesky is now high enough to allow for great content and meaningful discussions. Why aren’t you joining? Known benefits: - no ads 😌 - no polarizing "For you" feed 🕊️ - an Open Source simili-TweetDeck 🤖

@yves_bieri Congrats!

We did it again :) big thanks to everyone that helped make this happen! #pwn2own

🔒 Secure your open-source supply chain! Discover why CVEs are crucial for protecting software dependencies in @taladrane's latest blog post: github.blog/security/suppl… #Cybersecurity #OpenSource #CVEs

@joaxcar @fwrnr Sadly not all server software is available/supported on Windows 😉

@ulldma @fwrnr Oh wow! Thanks 😀 this is precisely what I was trying to get at. Also, apparently, I need to spin up my Windows machine. Maybe my attack scenario is not lost after all

Moving more into server code challenges some assumptions that I unknowingly built up by mainly doing client-side reviews. It took me two days to figure out why my path traversal /dir/file/../../etc/passwd did not work. 🤦‍♂️

@joaxcar @fwrnr Things like this work on Windows, but not on Linux: (So often you might find a Windows-only path traversal) x.com/ulldma/status/…

@fwrnr thus /dir/../../../etc/passwd works but /dir/file/../../etc/passwd does not. The “file” in the first “dir” will not contain a “file” called .. :)

GHSL-2024-127_GHSL-2024-129: Remote Code Execution (RCE) via Cross-Site Scripting (XSS) in OpenC3 COSMOS - CVE-2024-43795, CVE-2024-46977, CVE-2024-47529 securitylab.github.com/advisories/GHS…

Azure Cobalt 100-based Virtual Machines are now generally available azure.microsoft.com/en-us/blog/azu… Crazy project with equal parts VHDX and C. Go have fun with these and let me know how that goes!

Hyped to speak at @ekoparty in November!

@griffinbyatt @lowqualityfacts/113001211638522704" target="_blank" rel="nofollow noopener">mstdn.social/@lowqualityfac… 😉

“It’s not embarrassing, no one will remember it in 5 minutes.” Not true, I’ll remember when you tripped and tried to play it off as breaking into a light jog for the rest of my life

GHSL-2024-005_GHSL-2024-008: SSRF, XSS, RCE and Sensitive information disclosure in OpenHAB Web UI - CVE-2024-42467, CVE-2024-42468, CVE-2024-42469, CVE-2024-42470 securitylab.github.com/advisories/GHS…