- GitHub introduces private vulnerability reporting making it easy for security researchers to report vulnerabilities directly to maintainers.
- When a security researcher reports a vulnerability privately, the maintainer can choose to either accept it, ask more questions, or reject it.
- GitHub’s new feature aims to prevent vulnerabilities to be published publicly to prevent possible exploitation situations.
GitHub introduced a new feature, allowing users to report vulnerabilities privately. In some cases, if there is no instruction about how to contact the maintainer of a repository; security researchers may have no other option but to post about the vulnerability publicly. However, it can lead to public disclosure of the vulnerability and may allow threat actors to exploit it.
Privately reporting a vulnerability
GitHub’s new feature, private vulnerability reporting, is a new method to report vulnerabilities directly to the maintainer with a simple form. When the maintainer receives a report privately, they are notified and can accept it, ask more question, or reject it. Once the report is accepted, maintainers can collaborate on a fix for the vulnerability in private with the security researcher. For maintainers, the benefits of using private vulnerability reporting are:
- Less risk of being contacted publicly, or via undesired means.
- Receive reports in the same platform you resolve them in for simplicity
- The security researcher creates or at least initiates the advisory report on the behalf of maintainers.
- Maintainers receive reports in the same platform as the one used to discuss and resolve the advisories.
- Vulnerability less likely to be in the public eye.
- The opportunity to discuss vulnerability details privately with security researchers and collaborate on the patch.
To enable or disable the private vulnerability reporting feature for a repository, users can:
- On GitHub.com, navigate to the main page of the repository.
- Under your repository name, click Settings.
- In the “Security” section of the sidebar, click Code security and analysis.
- Under “Code security and analysis”, to the right of “Private vulnerability reporting”, click Enable or Disable, to enable or disable the feature, respectively.
Once the new feature is enabled for a repository, a new button will appear on the Advisories page of the repository. The security researcher can click this button to privately report a security vulnerability to the repository maintainer.