Keeping a secure development environment is my daily focus here at GitLab. My team and I are committed to hunting for vulnerabilities and mitigating t

Git security audit: Inside the hunt for - and discovery of - CVEs

submited by
Style Pass
2023-01-26 06:30:06

Keeping a secure development environment is my daily focus here at GitLab. My team and I are committed to hunting for vulnerabilities and mitigating them before they impact others. I feel equally enthusiastic about helping the development community identify potential risk. So when I had the opportunity to join an open-source security audit of Git, funded by the Open Source Technology Improvement Fund (OSTIF), I jumped at it. Little did I know it would lead to the discovery of CVE-2022-41903.

The Git security audit was run by X41 D-Sec on behalf of OSTIF. Due to prior experiences in finding vulnerabilities in Git, I was very keen on joining the audit. When Markus at X41 suggested a collaboration to the OSTIF they were very open to it, so all I had to do was convince my manager to spend some time on this audit.

This wasn't a problem at all. The to-be-done work fits nicely into our Security Research Team's Ecosystem Security Testing efforts. So we decided to donate a good chunk of my working hours towards the audit.

Leave a Comment