In GitHub’s advisory pipeline, some advisories move faster than others

GitHub Security Advisories are used to distribute vulnerability information in open-source projects and security tools. A new study finds that only a portion of those advisories ever pass through GitHub’s formal review process.

A large scale view of advisory data

A review of GitHub Security Advisories published between 2019 and 2025 examined 288,604 advisories. Of those, 23,563, about 8%, completed GitHub’s review process.

Although most advisories remain unreviewed, reviewed entries play an outsized role in security workflows. They feed dependency scanners, alerting systems, and automated remediation tools used by development teams.

To reconstruct advisory timelines, GitHub advisory records were combined with publication data from the National Vulnerability Database (NVD) and several ecosystem-specific databases, including RustSec, PyPA, RubySec, FriendsOfPHP, and GoVulnDB. This makes it possible to track when advisories were published, when patches became available, and when GitHub completed reviews.

Advisories published before and after mid 2022 were examined separately to account for GitHub’s large automation effort, which imported historical and ongoing data from the NVD.

Two paths into GitHub’s review pipeline

When advisory timelines are mapped, a consistent split appears. Advisories tend to follow one of two main paths into GitHub’s review system.

Some advisories begin as GitHub Repository Advisories, created directly by project maintainers inside their repositories, often while a fix is already being prepared. Other advisories originate outside GitHub, most commonly in the NVD, and are imported later.

After June 2022, 95% of GitHub Repository Advisories were reviewed within five days of publication. Advisories sourced from the NVD moved more slowly, with 78% reviewed within the same timeframe.

GitHub Repository Advisories reached review in under one day at the median, while NVD-sourced advisories took longer and often stretched into weeks.

Patch releases and advisory review timing

Review timing matters more after patches are released. One measured interval tracks how long it takes for GitHub to review an advisory after a fix has already been released.

For advisories published after mid 2022, the median time from patch release to review was two days for GitHub Repository Advisories. Advisories sourced from the NVD showed a median delay of 28 days.

During this interval, fixes are available while automated warnings lag behind. The exposure matters. Attackers can study patches to develop exploits, while defenders may remain unaware that an update is needed.

Automation improved review speed

GitHub’s automation effort improved review timelines for advisories imported from the NVD. After the historical data backfill in mid 2022, median review times dropped to under one day, with most advisories reviewed within four days.

Even with these improvements, review speed continued to differ based on entry path. Advisories created directly within GitHub consistently moved through review faster across nearly all measured percentiles.

Different reviewers and different projects

GitHub Repository Advisories are often reviewed by contributors with limited prior review history. For these advisories, the median reviewer had zero previous credited reviews, meaning at least half were handled by contributors completing their first recorded advisory review.

Advisories imported from the NVD show a different pattern. The median reviewer for those advisories had completed 33 prior reviews, with experience extending much higher at the upper end.

Repository characteristics differed as well. Nearly 70% of repositories linked to GitHub Repository Advisories included an explicit security policy, compared with about 40% of repositories linked to NVD-sourced advisories. Projects using Repository Advisories also tended to be more actively maintained and better prepared for coordinated vulnerability disclosure.

Why the split persists

The difference in review timing can be traced to how advisories move through GitHub’s review pipeline. Advisories imported from the NVD pass through an additional waiting stage before review. GitHub Repository Advisories enter the review queue directly.

A queue-based model reproduces observed review order and average delays without assuming explicit prioritization. The structure of the pipeline alone produces systematically shorter review latencies for GitHub Repository Advisories.

Changes in disclosure behavior could measurably reduce review time. Reducing the share of advisories arriving through the NVD from 47% to 10% would cut average review time nearly in half.