The public beta phase for GitHub’s private vulnerability reporting is now over, and the feature is now available to everyone.

During the public beta, over 30,000 organizations enabled the feature on more than 180,000 repositories and received over 1,000 submissions.

With the general availability, GitHub also implemented various new features to the service, such as multiple credit types.

GitHub announced that its private vulnerability reporting is now available to everyone, which was initially announced in November of 2022 at GitHub Universe 2022. After the public beta stage, the feature is now generally available to make it easier for researchers and maintainers to report and fix vulnerabilities on public repositories. The feature eliminates the difficulties of making the initial contact to disclose a vulnerability to the maintainer.

Making it easier to report and fix

Since its public beta launch, maintainers for more than 30,000 organizations have enabled private vulnerability reporting on more than 180,000 repositories and received over 1,000 submissions from researchers. During the public beta phase, GitHub also got feedback from the open-source community and implemented multiple improvements, such as:

Enable at scale. During the public beta, private vulnerability reporting could only be enabled on individual repositories. Now, maintainers can enable private vulnerability reporting on all repositories in their organization.

Multiple credit types. Maintainers can choose how to credit those who find and contribute to vulnerabilities and remediation.

Integration and automation. A new repository security advisories API supports several new integration and automation workflows: Integration with third-party systems: maintainers can pipe private vulnerability reports from GitHub to third-party vulnerability management systems. Automated submissions: security researchers can also use the API to programmatically open a private vulnerability report on multiple repositories, a time-saving convenience when packages share a common vulnerability. Vulnerability alerts: anyone can keep a close eye on critical repos by scheduling automatic pings for notifications of new vulnerability reports.

Like GitHub’s other security capabilities, private vulnerability reporting is free for public repositories.