GitHub’s private vulnerability reporting feature, which has been tested since late last year, has now become generally available.
Going forward, maintainers of open-source (opens in new tab) projects will be able to communicate with security researchers directly, being tipped off on security issues without the risk of vulnerabilities making it to the public.
Maintainers can enable the feature at scale and thus better protect all of their repositories. Earlier, open-source project maintainers could only turn the feature on a single repository.
GitHub security boost
GitHub’s Eric Tooley and Kate Caitlin described the feature as “a private collaboration channel that makes it easier for researchers and maintainers to report and fix vulnerabilities on public repositories.”
The company first introduced it in November 2022 and since then, maintainers for more than 30,000 organizations turned the feature on, protecting more than 180,000 repositories. Security researchers have made more than 1,000 submissions during that time.
The platform also announced a new repository security advisories API that supports a number of new integration and automation workflows. Among other things, “maintainers can pipe private vulnerability reports from GitHub to third-party vulnerability management systems,” while “security researchers can also use the API to programmatically open a private vulnerability report on multiple repositories.”
Finally, maintainers and security researchers can schedule automatic pings for notifications of new vulnerability reports.
Supply chain cyberattacks have become quite popular these days, turning GitHub into one of the most popular attack vectors out there. Threat actors would abuse the platform to hide malicious code, possibly distributing it to hundreds of projects at once. Therefore, protecting open-source code repositories such as GitHub has become essential for small and medium-sized businesses as they scale their digital operations.
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba