The GitHub Advisory Database, a database of vulnerabilities in open source software, is now open to anyone that wants to share information on a vulnerability. Contributions are curated by an expert panel.
The GitHub Advisory Database is the world’s largest database of open source software vulnerabilities. The database is maintained by a dedicated GitHub team. It supports npm, NuGet and GitHub’s own Dependabot alerts. GitHub now welcomes user contributions of information on known vulnerabilities.
The content of the GitHub Advisory Database — which was only accessible to staff — has been published in a new public repository. The community of open source developers is invited to contribute new information on known vulnerabilities.
All information is published under a Creative Commons license, meaning the community is able to use the data freely. Ultimately, the goal is to improve open source software security.
Workflow for contributions
Community members can now add their insights or solutions for reported vulnerabilities via the relevant CVE advisory link. Think of context on relevant libraries, versions affected by the vulnerability and the vulnerability’s impact on ecosystems.
Contributors can directly open a pull request to implement eventual changes. Together with the first person or team to find the vulnerability, the GitHub Security Labs panel curates proposed changes. When greenlit, changes are implemented in the software.
Open Source Vulnerabilities (OSV) format
The GitHub Advisory Database repository uses the Open Source Vulnerabilities (OSV) format for all contributions. Among other things, the format allows security advisories to be scaled up and made accessible for contributors.