You can now privately report vulnerabilities on GitHub

Kevin Okemwa


Microsoft-owned GitHub has announced that private vulnerability reporting has shipped to general availability. The feature has been in public beta for testing. It’s designed to provide a platform where researchers and maintainers can easily report and fix vulnerabilities in public repositories.

GitHub discovered that there was a loophole when it comes to communication between researchers and maintainers, deeming it difficult for vulnerabilities to be quickly identified and fixed. The company indicates that “Since then, maintainers for more than 30k organizations have enabled private vulnerability reporting on more than 180k repositories, receiving more than 1,000 submissions from security researchers.”

Private vulnerability reporting on GitHub is in place to help promote a best practice “that helps maintainers and security researchers keep open source projects healthy and secure.” It helps prevent public discussion of issues while simultaneously saving time and resources.

Jordan Tucker, maintainer of JSON5 is also a beneficiary of this feature and has indicated that:

Private vulnerability reporting makes it so much easier for the open source community to report and fix vulnerabilities, and I would encourage every maintainer to enable it on their public repositories.

Additionally, project owners also benefit a great deal from this feature. Usually, when an email is sent out detailing a vulnerability, users often ignore the emails or flag them as phishing attacks. In turn, this makes it difficult for the issue to be resolved.

However, the private vulnerability reporting feature provides users with an open platform that’s easily accessible to everyone. It also features draft pull requests where project maintainers can access everything they want and lodge complaints about issues affecting them.

It is also worth noting that the feature also ships with several new features as well as improvements. First, private vulnerability reporting can be enabled at a scale. Previously, while in public beta the feature could only be enabled on individual repositories.

Next up, the feature now ships with multiple credit types. Maintainers now get to choose how they’d prefer to credit users that identify and report vulnerabilities.

And finally, a new repository security advisories API supports several new integration and automation workflows. We invite you to check out GitHub’s blog post for more information about these new capabilities.