GitHub adds option to ease reporting vulnerabilities in public repositories
Developers’ platform GitHub has announced the general availability of private vulnerability reporting. It is a private collaboration channel that will make it easier for developers and maintainers to report and fix vulnerabilities in public repositories. The public beta of the feature was announced at GitHub Universe 2022 to maintainers to get feedback.
“One of the biggest struggles as a researcher has been making initial contact to disclose the vulnerability to the maintainer. Private vulnerability reporting is a massive step forward,” said Jonathan Leitschuh, GitHub Star, GitHub Security Ambassador.
GitHub reports several improvements to the feature in general availability as compared to public beta. Firstly, while private vulnerability reporting in the public beta was only enabled on individual repositories it is now extended to all the repositories in the maintainer’s organisation. Maintainers can now choose how to credit those who find and contribute to vulnerabilities and remediation.
Other improvements pertain to automation workflows and integration with third-party systems. With automated submissions, security researchers will be able to use API to open private vulnerability reports on multiple repositories to save time. Further, maintainers can keep an eye on critical repositories by scheduling automatic notification pings for new vulnerability reports.
This feature is critical because it offers clear instructions on how to alert users about a vulnerability and for contacting repository maintainers. In its absence, security researchers would have to post the vulnerability on social media or send direct messages to the maintainers or even create public issues. These options can potentially lead to public disclosure of vulnerability details, which can then be exploited by bad actors. Private vulnerability reporting allows security researchers to report vulnerabilities directly to maintainers using a simple form.