GitHub announced that private vulnerability reporting is now generally available and can be enabled at scale, on all repositories belonging to an organization.
Once toggled on, security researchers can use this dedicated communications channel to privately disclose security issues to an open-source project’s maintainers without accidentally leaking vulnerability details.
This is “a private collaboration channel that makes it easier for researchers and maintainers to report and fix vulnerabilities on public repositories,” GitHub’s Eric Tooley and Kate Catlin said.
Since its introduction as an opt-in feature in November 2022 during the GitHub Universe 2022 global developer event, “maintainers for more than 30k organizations have enabled private vulnerability reporting on more than 180k repositories, receiving more than 1,000 submissions from security researchers.”
Easy to enable across an org’s repos
During the public beta test phase, the option to report private vulnerabilities could only be activated by maintainers and repository owners only on single repositories.
Starting this week, they can now enable this direct bug-reporting channel for all repositories within their organization.
GitHub has also added integration and automation support via a new repository security advisories API that enables dispatching private reports to third-party vulnerability management systems and submitting the same report to multiple repos sharing a security flaw.
It can also be configured so private bug reporting is enabled automatically on all new public repositories.
The functionality can be enabled under ‘Code security and analysis’ by clicking the ‘Enable all’ button next to the ‘Private vulnerability reporting’ option.
Owners and administrators of public repositories should toggle private vulnerability reporting to ensure they receive bug reports on the same platform where they get resolved, discuss all details with researchers, and securely collaborate with them to create a patch.
After it’s enabled, security researchers can submit private security reports directly on GitHub from the Security tab under the repository name by clicking on the ‘Report a vulnerability’ in the left sidebar, under Reporting > Advisories.
Private bug reports can also be sent via the GitHub REST API using the parameters described on this documentation page.
Last month, GitHub also announced that its secret scanning alerts service is now generally available for all public repositories.
