GitHub’s private vulnerability reporting feature, which has been tested since late last year, has now become generally available.
Going forward, maintainers of open-source (opens in new tab) projects will be able to communicate with security researchers directly, being tipped off on security issues without the risk of vulnerabilities making it to the public.
Maintainers can enable the feature at scale and thus better protect all of their repositories. Earlier, open-source project maintainers could only turn the feature on a single repository.
GitHub security boost
GitHub’s Eric Tooley and Kate Caitlin described the feature as “a private collaboration channel that makes it easier for researchers and maintainers to report and fix vulnerabilities on public repositories.”
The company first introduced it in November 2022 and since then, maintainers for more than 30,000 organizations turned the feature on, protecting more than 180,000 repositories. Security researchers have made more than 1,000 submissions during that time.
The platform also announced a new repository security advisories API that supports a number of new integration and automation workflows. Among other things, “maintainers can pipe private vulnerability reports from GitHub to third-party vulnerability management systems,” while “security researchers can also use the API to programmatically open a private vulnerability report on multiple repositories.”
Finally, maintainers and security researchers can schedule automatic pings for notifications of new vulnerability reports.
Supply chain cyberattacks have become quite popular these days, turning GitHub into one of the most popular attack vectors out there. Threat actors would abuse the platform to hide malicious code, possibly distributing it to hundreds of projects at once. Therefore, protecting open-source code repositories such as GitHub has become essential for small and medium-sized businesses as they scale their digital operations.