GitHub’s private vulnerability reporting feature, which has been in testing since late last year, is now generally available.
Moving forward, open-source maintainers (opens in a new tab) projects will be able to communicate directly with security researchers, gaining information on security issues without the risk of vulnerabilities being made public.
Maintainers can enable this feature on a large scale and thus better protect all their repositories. Previously, open source maintainers could only enable this feature in one repository.
Increasing the security of GitHub
Eric Tooley and Kate Caitlin of GitHub described the feature as “a private collaboration channel that makes it easier for researchers and maintainers to report and fix vulnerabilities in public repositories.”
The company first introduced it in November 2022, and since then, maintainers of over 30,000 organizations have enabled the feature, protecting over 180,000 repositories. Security researchers submitted more than 1,000 submissions during that time.
The platform also announced a new Repository Security Advice API that supports a range of new integration and automation workflows. Among other things, “maintainers can submit private vulnerability reports from GitHub to third-party vulnerability management systems,” while “security researchers can also use the API to programmatically open private vulnerability reports across multiple repositories.”
Finally, maintainers and security researchers can schedule automatic notifications of new vulnerability reports.
Cyberattacks in the supply chain have become quite common these days, turning GitHub into one of the most popular attack vectors. Threat actors would use the platform to hide malicious code, possibly distributing it to hundreds of projects at once. That’s why protecting open source code repositories like GitHub has become essential for small and medium businesses that scale their digital operations.