Security Experts:

GitHub Introduces Private Vulnerability Reporting for Public Repositories

Microsoft-owned code hosting platform GitHub has announced the introduction of a direct channel for security researchers to report vulnerabilities in public repositories that allow it.

The new private vulnerability reporting capability enables repository maintainers to allow security researchers to report to them any vulnerabilities identified in their code.

Some repositories may contain specific instructions on how the maintainers can be contacted for vulnerability reporting, but for those that do not, researchers often report issues publicly.

Regardless of whether the researcher reports the vulnerability via social media or by creating a public issue, this method could result in vulnerability details inadequately being made public.

To avoid such situations, GitHub has introduced private reporting, where researchers can directly contact repository maintainers willing to enroll.

If the functionality is enabled, the reporting security researchers are provided with a simple form they can fill out with details on the identified issue.

“Anyone with admin permissions to a public repository can enable and disable private vulnerability reporting for the repository,” GitHub says.

Once a vulnerability has been reported, the repository maintainer receives a notification and can either accept or dismiss the report, or ask more questions about the issue.

Benefits of the new capability, GitHub says, include the opportunity to discuss vulnerability details privately, receiving the reports directly on the same platform where the issue is discussed and addressed, the advisory report being initiated by the reporter, and a lower risk of being contacted publicly.

Private vulnerability reporting can be enabled under the ‘Settings’ section on the repository’s main page, in the ‘Security’ section of the sidebar, under ‘Code security and analysis’.

Once the functionality has been enabled, security researchers can submit reports by clicking on a new ‘Report a vulnerability’ button in the ‘Advisories’ page of the repository.

The code hosting platform announced the private vulnerability reporting at the GitHub Universe 2022 global developer event, where it also announced the general availability of CodeQL support for Ruby, a new security risk and coverage view for GitHub Enterprise users, and funding for open source developers.

Through the new GitHub Accelerator initiative, the platform will provide a $20,000 incentive to 20 developers who maintain open source repositories, while the new $10 million M12 GitHub Fund is meant to support open source companies of the future.

Related: GitHub Improves npm Account Security as Incidents Rise

Related: GitHub Announces General Availability of Code Scanning Feature

Related: New GitHub Security Lab Aims to Secure Open Source Software

view counter