GitHub introduces private vulnerability reporting for open source repositories

GitHub has announced that its private vulnerability reporting feature for open source repositories is now available to all project owners.

General availability

The private vulnerability reporting feature provides a direct collaboration channel that allows researchers to more easily report vulnerabilities, and maintainers to easily fix them.

It has been available in public beta since November 2022.

“Since then, maintainers for more than 30k organizations have enabled private vulnerability reporting on more than 180k repositories, receiving more than 1,000 submissions from security researchers,” GitHub’s Kate Catlin and Eric Tooley shared.

Now that the feature is generally available, maintainers can enable it on all of their organization’s repositories (in the public beta version, the feature could be enabled only on individual repositories).

GitHub vulnerability reporting

Enabling private vulnerability reporting (Source: GitHub)

Simplifying vulnerability reporting and remediation

“One of the biggest struggles as a researcher has been making initial contact to disclose the vulnerability to the maintainer,” said Jonathan Leitschuh, GitHub security ambassador and senior researcher for the OpenSSF Project Alpha-Omega.

But private vulnerability reporting is convenient to both security researchers and project maintainers: it allows them to exchange all the necessary information and avoid complicated back-and-forth emailing.

Security researchers can also use the new repository security advisories API to open a private vulnerability report on multiple repositories (when packages share a common vulnerability), and project maintainers can channel these reports from GitHub to the third-party vulnerability management systems they use.

Don't miss