GitHub is allowing developers to notify their peers of discovered vulnerabilities – quietly. The company says this will avoid the “name and shame” game and prevent exploitations that might result from public disclosure.
In a blog post (opens in new tab) earlier this week, GitHub said given the way that platform is currently set up, sometimes there's no other option but to disclose a vulnerability publicly – and before malware removal software can be deployed – alerting potential threat actors.
“Security researchers often feel responsible for alerting users to a vulnerability that could be exploited,” the blog reads. “If there are no clear instructions about contacting maintainers of the repository containing the vulnerability. It can potentially lead to a public disclosure of the vulnerability details.”
Private vulnerability reporting
To tackle the issue, GitHub has now introduced private vulnerability reporting – essentially a simple reporting form.
When a developer tries to reach out to the maintainer of the affected vulnerability via Private vulnerability reporting, the latter can choose to either accept it, ask more questions, or reject it.
“If you accept the report, you're ready to collaborate on a fix for the vulnerability in private with the security researcher,” the post explains.
The Microsoft-owned platform also hopes this disclosure method will streamline troubleshooting efforts, since reports are dealt with in a single place. Furthermore, it gives maintainers the opportunity to discuss vulnerability details in private with security researchers and ultimately use patch management software to collaborate on a fix.
The repository's community has welcomed the news, The Register (opens in new tab) reported. It spoke to multiple CTOs, technical engineers and threat hunters, all of which agree that such a feature was in high demand on GitHub.
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba