Vulnerability reports are arriving faster than GitHub can review them
Across the open source world, people are reporting software flaws in record numbers, and the systems built to verify those reports are straining under the weight. The GitHub Advisory Database, which feeds automated security alerts to millions of projects, has reached a point where some new advisories take weeks to publish.
In May 2026, the database published 1,560 reviewed advisories, the most in its history and several times its usual monthly output. The volume still fell short of what arrived.
Record input across every channel
The growth runs through every source that feeds the database. Private vulnerability reports climbed from a few hundred a week in January to more than 3,000 a week through most of May.
Repository advisories followed a similar curve, reaching beyond 5,000 a week at the peak. GitHub’s work as a CVE Numbering Authority pulled in close to 4,000 CVE requests in May alone, many times the count from a year earlier.
The trend reaches well past one company. The global CVE program has published more than 30,000 entries so far in 2026.
Private vulnerability reporting now runs on a large base of projects, more than 1.7 million repositories in total. To sustain the inflow, GitHub kept up more than 6,000 advisory decisions a month from March through May, a span covering new advisories, updates, and inbound reviews.
Where the time goes
Since mid-April, publication has slowed. Review times stretched first to about a week, then to several weeks for a meaningful share of reports. Longer waits widen the window in which a known flaw sits unpatched, and Madison Ficorilli, the senior security manager who leads the curation team, treats timeliness as central to the database’s value.
“Not every security advisory requires the same level of effort. Some arrive well formatted: the advisory details clearly name the affected package and its relevant ecosystem, the version range is documented, and the fix is tagged. A curator can validate and publish these in under a few minutes. But a growing share of incoming advisories require more investigation,” Ficorilli explained.
A rising share demands real investigation: pinning down which registry a package belongs to, rebuilding version ranges from commit history, or settling cases where a CVE record, a maintainer’s note, and the code disagree about what is affected.
What stays intact
Quality has held through the surge. Published advisories remain accurate, data pipelines keep running, and anything marked reviewed meets the same standard set before the spike. The CVE assignment rate stayed between 91 and 94 percent the whole time, in line with past norms.
The constraint is throughput. GitHub said publishing faster by skipping verification “would increase false positives at scale,” a risk it weighs against the cost of delay.
How GitHub is responding
The curation team has deployed AI tools to speed the research phase, and curators still make every decision. Engineers have expanded backend capacity, sharpened triage so strong submissions move sooner, and widened automation that pulls data from upstream CVE records. Planned work centers on cutting the time spent on routine cases and ranking incoming reports by signals such as active exploitation and how widely a package is used.
What researchers can do
“If you want to help, focus on three things: submit complete vulnerability data, coordinate closely with maintainers and researchers, and request CVEs only when there is a clear intention to publish,” Ficorilli said.
Close coordination among maintainers and researchers keeps package names, version ranges, and fixes aligned across sources. Reserving CVE requests for cases headed toward real disclosure keeps curator attention on advisories moving toward release.
Two years ago, the database handled roughly 270 advisories a month. The climb since then tracks a wider move toward open vulnerability disclosure, and GitHub plans to keep scaling its review pipeline to match.
Must read:
- 25 open-source cybersecurity tools that don’t care about your budget
- GitHub CISO on security strategy and collaborating with the open-source community
Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!