Man Yue Mo worked at Semmle (https://blog.sonatype.com/steps-to-responsible-disclosure) before it was acquired by GitHub (https://github.blog/2019-09-18-github-welcomes-semmle/). That research function has carried on as the GitHub Security Lab.

Semmle built CodeQL, now offered by GitHub (https://docs.github.com/en/code-security/code-scanning/intro...), which GitHub and Microsoft (see https://www.microsoft.com/en-us/security/blog/2023/11/02/ann...) want to associate with "deep security insight".

So they continue to fund this kind of novel security research, for which security practitioners across industry are grateful.

This work comes from GitHub's Security Lab https://securitylab.github.com/

A little surprising that hasn't been shifted into MSRC, but GitHub operates very independently inside Microsoft.

They got bought by Microsoft and so have the resources to sponsor research, including of this kind. There’s a GitHub app, and the security of that app is not outside their purview. if an attacker manages to install a lurky app on your phone, they could do stuff as you. if you're someone with GitHub clout, that could be real damaging so it's in their interests to find such vulnerabilities.

They have hosted action runners for arm too. So, they may have an interest in checking and verifying the security capabilities of arm hardware with MTE for sandboxing.

Unlike other departments, security teams often don’t have anything to do so this research is a good use of free time.

What is this comment? Github security research lab solely focuses on security research and publishes some of the best research in the industry.

Man Yue Mo is a security researcher who finds some of the most complex and impactful bugs in the industry like crbug.com/40065473

Seeing mmsc's post history, especially computer security related comments, I presume he was just being sarcastic :)

Indeed.

Although, it wouldn’t be abnormal for a security team to have free time, and dedicate it to researching an emerging technology whether it directly contributes to the business goals or not. Of course I’m not talking about a security team that is reading log files from their SIEM while sitting in a SOC.

How many security teams have you been on? Definitely ones with less work than I've been on...

Sadly people didn't see the sarcasm in this comment

i understand people disliking using tone indicators, especially when they can ruin a joke, but they are really wonderful things that can prevent misunderstandings like this online

Wow, that's just absolutely incorrect. Ignoring that tons of security teams are actually stupidly busy, this person's specific role at GitHub is security research. GitHub have security products for code security, which he ties into.

My colleagues at the GH Security Lab saw this and made this thread/response [1]

I’ll paste:

Why does GitHub Security Lab do research like @mmolgtm’s recent work on bypassing MTE on the Pixel 8? This question was asked on Hacker News and we think it’s worth a short thread. news.ycombinator.com/item?id=397522…

First an important point: we only research open source code, which means that many parts of your phone (for example most of your apps) are out-of-scope for us. That said, all open source code is in-scope, including projects that aren’t hosted on GitHub. (Quote tweet reply to this tweet [2])

In this particular case, @mmolgtm found a bug in Arm Mali, which is an open source GPU driver used on many Android phones. Android itself is open source. https://developer.arm.com/downloads/-/mali-drivers/valhall-k...

Open source software is the foundation of much of the world’s software. So when open source wins, we win. And that’s why @GitHub takes its responsibility seriously, to help make open source software more secure.

GitHub Security Lab sits within @GitHubSecurity, and we focus exclusively on open source security with four main priorities:

First, we run the GitHub Advisory Database, which is a comprehensive database of open source vulnerabilities. https://t.co/U4HlXO2l1G

Second, we share information around secure coding practices, through blogs and video content. https://t.co/EdO5SZtR0B

Third, we use GitHub’s CodeQL to scan thousands of open source repositories for common security mistakes, like SQL injections or path traversals. https://t.co/m72rt2a5RL

And fourth, we do deep research on critical open source projects. @mmolgtm’s recent work on Arm Mail is an example of this. https://t.co/jxVYeoJjtO

The work that we do feeds into GitHub’s security products. For example, the advisory database is used to generate Dependabot alerts. https://docs.github.com/en/code-security/dependabot/dependab...

Similarly, our work with CodeQL provides feedback to the code scanning team to help improve and further develop the feature so that more vulnerabilities are caught quickly and automatically. https://docs.github.com/en/code-security/code-scanning/intro...

And these activities also benefit open source, because GitHub security products, including Dependabot and CodeQL, are free for open source projects!

Our deep research work is primarily intended to inspire the community, so that we can improve open source security together. That’s why we publish detailed blog posts and proof-of-concept exploits.

https://github.com/github/securitylab/tree/main/SecurityExpl...

We’re big believers in Linus's law: “given enough eyeballs, all bugs are shallow”. Together, we’re making open source software secure. https://en.wikipedia.org/wiki/Linus%27s_law

[1]: https://x.com/ghsecuritylab/status/1770940743944720557

[2]: https://x.com/zemarmot/status/1681008991663423489