GitHub Engineering

A formal spec for GitHub Flavored Markdown

We are glad we chose Markdown as the markup language for user content at GitHub. It provides a powerful yet straightforward way for users (both technical and non-technical) to write plain text documents that can be rendered richly as HTML.

Discontinue support for weak cryptographic standards

Cryptographic standards are ever evolving. It is the canonical game of security cat and mouse, with attacks rendering older standards ill-suited, and driving the community to develop newer and stronger standards to take their place. There have been a number of cryptographic attacks over the past of couple of years. These include, but are not limited to, attacks such as POODLE and Logjam . And, while there have been workarounds for some of these attacks, they demonstrated that several cryptographic standards in wide deployment are showing their age and should be retired. As a result, GitHub is announcing the immediate deprecation, and eventual disablement, of our use of the following cryptographic standards:

A glimpse into GitHub's Bug Bounty workflow

Last month, we announced the third anniversary of our Bug Bounty Program. While there’s still time to disclose your findings through the program, we wanted to pull back the curtain and give you a glimpse into how GitHub’s Application Security team triages and runs it.

Adding Community & Safety checks to new features

With the continuous shipping nature at GitHub, it’s easy for the most well-intentioned feature to accidentally become the vector of abuse and harassment. The Community & Safety engineering team focuses on building community management tools and maintaining user safety, but we also review new features our colleagues have written to ensure there are no accidental abuse vectors. Similar to Application Security reviews, these Community & Safety reviews hopefully catch any potential problems before they go out, in order to minimize impact on marginalized folks, reduce spam, and encourage healthy communities.

New and improved two-factor lockout recovery process

The Recover Accounts Elsewhere feature lets you associate your GitHub account with your Facebook account. This will help us recover your account for certain two-factor authentication lockout scenarios. For example, you may become locked out of your GitHub account because you have lost your phone or U2F key, changed phones without re-enrolling, or have otherwise lost the ability to use your phone or token without a usable backup.

Older posts