GitHub has launched a private vulnerability reporting feature that enables developers and maintainers to report and fix vulnerabilities in public repositories through a private collaboration channel. The public beta of the feature was announced at GitHub Universe 2022, where maintainers were encouraged to provide feedback.
READ ALSO:
Microsoft developing ‘Athena’ AI chip for training language models
SAP Launches GROW with SAP Program in India for Midsize Customers to Adopt Cloud ERP
Baringo Governor urges locals to embrace installation of mobile masts in remote areas
Private vulnerability reporting offers clear instructions on how to alert users about a vulnerability and contact repository maintainers, which is critical because alternative methods can potentially lead to the public disclosure of vulnerability details that can be exploited by bad actors. In the absence of this feature, security researchers would have to post the vulnerability on social media, send direct messages to maintainers or create public issues.
The private vulnerability reporting feature has several improvements in general availability compared to the public beta. It is now available for all repositories in the maintainer’s organisation and maintainers can choose how to credit those who find and contribute to vulnerabilities and remediation. Automation workflows have also been improved, allowing security researchers to use APIs to open private vulnerability reports on multiple repositories, saving time. Further, maintainers can set up automatic notification pings for new vulnerability reports to keep an eye on critical repositories.
