GitHub, the platform for hosting source code repositories and collaborative software development, has announced new functionality to enable private vulnerability reporting at scale across all organizations using its platform.
Security researchers can use this dedicated channel to privately report any security issues in an open source project, without accidentally sharing vulnerability details with the general public.
GitHub Code Security, the new private vulnerability reporting tool
This new channel is “a private collaborative medium that makes it easier for researchers and maintainers to report and fix vulnerabilities in public repositories,” according to GitHub’s Eric Tooley and Kate Catlin, who were in charge of presenting this novelty.
Previously, during the public beta testing phase, repository owners and maintainers could only enable private vulnerability reporting on individual repositories. From now on, they can activate them in all repositories within their organization.
In addition, GitHub has added integration and automation support through a new repository security advisory API, which allows you to send private reports to third-party vulnerability management systems and share the same report with multiple repositories that share a security flaw. .
It can also be configured so that private bug reporting is automatically enabled on all new public repositories.
How to enable private vulnerability reports
Owners and administrators of public repositories should enable private vulnerability reporting to ensure they receive bug reports on the same platform where bugs are resolved, discuss all details with researchers, and securely collaborate with them to create a patch.
Once enabled, security researchers can submit private security reports directly to GitHub from the Security tab under the repository name by clicking “Report a vulnerability” in the left sidebar under Reports > Advisories.
Private bug reports can also be submitted via the GitHub REST API using the parameters described on this documentation page.
Vulnerability reporting feature available for all public GitGub repositories
Last month GitHub also announced that its secret scan alert service is now available for all public repositories.
This service is used to detect and alert on any security vulnerabilities in code hosted in public GitHub repositories. Once a vulnerability is detected, GitHub sends an alert to the repository owner so that he can take action to fix the problem.
With this new functionality, GitHub continues to improve its security and collaborative development platform to ensure that users can work more efficiently and securely on building open source projects.