GitHub announced that private vulnerability reporting is now generally available and can be enabled at scale, across all repositories owned by an organization.

Once enabled, security researchers can use this dedicated communication channel to privately disclose security issues to maintainers of an open source project without accidentally disclosing vulnerability details.

It is “a private collaboration channel that makes it easier for researchers and maintainers to report and fix vulnerabilities in public repositories,” Eric Tooley and Kate Catlin of GitHub. said.

Since his introduction as an opt-in feature in November 2022 when GitHub Universe 2022 global developer event, “Leaders from over 30,000 organizations have enabled private vulnerability reporting on over 180,000 repositories, receiving over 1,000 submissions from security researchers.”

Easy to enable in an organization’s repositories

During the public beta testing phase, the option to report private vulnerabilities could only be enabled by maintainers and repository owners on single repositories.

Starting this week, they can now enable this direct bug reporting channel for all repositories in their organization.

GitHub has also added support for integration and automation through a new Repository Security Advisories API which allows sending private reports to third-party vulnerability management systems and submitting the same report to multiple repositories that share a security vulnerability.

It can also be configured so that private bug reporting is automatically enabled on all new public repositories.

The feature can be enabled under “Security and Code Analysis” by clicking the “Enable All” button next to the “Private Vulnerability Report” option.

Enable Private Vulnerability Report
Enabling Private Vulnerability Reporting (GitHub)

​Owners and administrators of public repositories should toggle private vulnerability report to ensure they receive bug reports on the same platform where they are fixed, discuss all the details with researchers, and safely collaborate with them to create a fix.

Once enabled, security researchers can submit private security reports directly to GitHub from the Security tab under the repository name by clicking “Report a Vulnerability” in the left sidebar, under Reports > Advisories.

Private bug reports can also be submitted through the GitHub REST API using the parameters described at this documentary page.

Last month, GitHub also announced that its secret scan alerts service is now generally available for all public repositories.

Source link