HomeWinBuzzer NewsGitHub Opens Private Vulnerability Reporting for Projects

GitHub Opens Private Vulnerability Reporting for Projects

GitHub private vulnerability reporting is now reaching public beta to allow researchers to privately warn project managers of vulnerabilities.


is making it much easier for project admins to find out about vulnerabilities and solve them before they go public. The company says a new feature provides a feedback system for security researchers to privately report vulnerabilities to project maintainers.

The feature, called “private vulnerability reporting”, is part of GitHub's security advisories, which help developers coordinate, fix, and disclose security issues.

It is worth noting the feature has been in preview since last year and is now becoming publicly available (although still as a beta release). As private vulnerability reporting reaches all users, is adding the following new abilities:

  • “Enable at scale. During the public beta, private vulnerability reporting could only be enabled on individual repositories. Now, maintainers can enable private vulnerability reporting on all repositories in their organization.
  • Multiple credit types. Maintainers can choose how to credit those who find and contribute to vulnerabilities and remediation.
  • Integration and automation. A new repository security advisories API supports several new integration and automation workflows:
    • Integration with third-party systems: maintainers can pipe private vulnerability reports from GitHub to third-party vulnerability management systems.
    • Automated submissions: security researchers can also use the API to programmatically open a private vulnerability report on multiple repositories, a time-saving convenience when packages share a common vulnerability.
    • Vulnerability alerts: anyone can keep a close eye on critical repos by scheduling automatic pings for notifications of new vulnerability reports.”

How Private Vulnerability Reporting Works

To use private vulnerability reporting, researchers need to navigate to the security tab of the repository they want to report a vulnerability in,and click on “Report a vulnerability” to open an advisory form. Once the form is submitted, the repository maintainer will receive a notification and can review the report. The maintainer can then decide whether to accept or reject the report and communicate with the researcher privately.

In other GitHub news, the company is rolling out verifiable npm packages. Known as NPM Package Signing, the tool is now available in beta on GitHub Actions for users with the Team, Pro, or Enterprise account.

The feature works by generating a unique key pair for each developer who opts in to NPM package signing. The developer can then use the key pair to sign their npm packages and publish them to GitHub Packages, a hosting service for npm packages.

Tip of the day: If you need to Create, Delete or Resize Partitions, Windows has everything you thanks to the built-in Disk Management-tool.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News