Security Experts:

Connect with us

Hi, what are you looking for?



GitHub Introduces Private Vulnerability Reporting for Public Repositories

Microsoft-owned code hosting platform GitHub has announced the introduction of a direct channel for security researchers to report vulnerabilities in public repositories that allow it.

Microsoft-owned code hosting platform GitHub has announced the introduction of a direct channel for security researchers to report vulnerabilities in public repositories that allow it.

The new private vulnerability reporting capability enables repository maintainers to allow security researchers to report to them any vulnerabilities identified in their code.

Some repositories may contain specific instructions on how the maintainers can be contacted for vulnerability reporting, but for those that do not, researchers often report issues publicly.

Regardless of whether the researcher reports the vulnerability via social media or by creating a public issue, this method could result in vulnerability details inadequately being made public.

To avoid such situations, GitHub has introduced private reporting, where researchers can directly contact repository maintainers willing to enroll.

If the functionality is enabled, the reporting security researchers are provided with a simple form they can fill out with details on the identified issue.

“Anyone with admin permissions to a public repository can enable and disable private vulnerability reporting for the repository,” GitHub says.

Once a vulnerability has been reported, the repository maintainer receives a notification and can either accept or dismiss the report, or ask more questions about the issue.

Benefits of the new capability, GitHub says, include the opportunity to discuss vulnerability details privately, receiving the reports directly on the same platform where the issue is discussed and addressed, the advisory report being initiated by the reporter, and a lower risk of being contacted publicly.

Private vulnerability reporting can be enabled under the ‘Settings’ section on the repository’s main page, in the ‘Security’ section of the sidebar, under ‘Code security and analysis’.

Once the functionality has been enabled, security researchers can submit reports by clicking on a new ‘Report a vulnerability’ button in the ‘Advisories’ page of the repository.

The code hosting platform announced the private vulnerability reporting at the GitHub Universe 2022 global developer event, where it also announced the general availability of CodeQL support for Ruby, a new security risk and coverage view for GitHub Enterprise users, and funding for open source developers.

Through the new GitHub Accelerator initiative, the platform will provide a $20,000 incentive to 20 developers who maintain open source repositories, while the new $10 million M12 GitHub Fund is meant to support open source companies of the future.

Related: GitHub Improves npm Account Security as Incidents Rise

Related: GitHub Announces General Availability of Code Scanning Feature

Related: New GitHub Security Lab Aims to Secure Open Source Software

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.