GitHub now lets researchers privately report vulnerabilities to project maintainers

Private vulnerability reporting on GitHub

GitHub has announced the general availability of private vulnerability reporting so that researchers, and the wider general public, can report vulnerabilities privately. With this feature, researchers can report vulnerabilities without disclosing weaknesses publicly. This ensures that malicious actors do not take advantage of the disclosure before a fix has been issued.

Private vulnerability reporting was first made available as a public beta at GitHub Universe 2022. Since then, maintainers for 30,000 organizations have enabled the feature across more than 180,000 repositories. GitHub says that more than 1,000 submissions have been received through this private reporting mechanism.

With its promotion to general availability, GitHub has also added several new features. The first improvement lets maintainers enable the feature on all the repositories in their organization, rather than just one repo at a time. Maintainers can also assign a credit type to those who help find issues, some types include analyst, finder, sponsor, and more.

Finally, there’s a new repository security advisories API that facilitates integration with third-party systems, automated submissions, and vulnerability alerts. Hopefully, with the general availability of this feature, open-source projects will become a bit more secure.

Report a problem with article
npm Provenance graphic
Next Article

GitHub increases verifiability of npm packages for added security

Elon Musk versus Microsoft
Previous Article

Microsoft Advertising ditches Twitter, and then Elon Musk threatens a lawsuit

Join the conversation!

Login or Sign Up to read and post a comment.

1 Comment - Add comment