2 min Security

GitHub: private vulnerability reporting now generally available

GitHub: private vulnerability reporting now generally available

The feature makes it easier for researchers and maintainers to report and fix vulnerabilities on public repositories.

This week GitHub announced that private vulnerability reporting is now generally available on all repositories belonging to an organization.

The new dedicated communications channel allows security researchers to privately disclose security issues to an open-source project’s maintainers in a secure environment, without the threat of leaking vulnerability details.

Eric Tooley, GitHub’s Senior Product Marketing Manager, and Kate Catlin, the organisation’s Senior Product Manager, co-authored a blog post in which they detailed the advantages of the new feature. “Thanks to feedback from the open source community, we’ve implemented a number of improvements for the general availability of private vulnerability reporting,” they write.

Private vulnerability available at scale

The first such improvement is the ability to enable private vulnerability “at scale”. They explain that private vulnerability reporting could only be enabled on individual repositories during the public beta. “Now, maintainers can enable private vulnerability reporting on all repositories in their organization”.

There are also Multiple credit types available. “Maintainers can choose how to credit those who find and contribute to vulnerabilities and remediation”, they say.

Integration and Automation

Finally, the new feature provides better integration and automation. This is thanks to a new repository security advisories API that supports several new integration and automation workflows, such as integration with third-party systems. This is where “maintainers can pipe private vulnerability reports from GitHub to third-party vulnerability management systems”, they explain.

Automated submissions are also possible. Security researchers can use the API to open a private vulnerability report on multiple repositories programmatically. They characterize this as “a time-saving convenience when packages share a common vulnerability.”

Vulnerability alerts allow anyone to keep a close eye on critical repos by scheduling automatic pings for notifications of new vulnerability reports.

Tooley and Catlin close their post with a confirmation that private vulnerability reporting, like the rest of GitHub’s security capabilities (e.g., Dependabot, code scanning, and secret scanning), is free for public repositories.