GitHub is making it much easier for project admins to find out about vulnerabilities and solve them before they go public. The company says a new feature provides a feedback system for security researchers to privately report vulnerabilities to project maintainers.
The feature, called “private vulnerability reporting”, is part of GitHub's security advisories, which help developers coordinate, fix, and disclose security issues.
It is worth noting the feature has been in preview since last year and is now becoming publicly available (although still as a beta release). As private vulnerability reporting reaches all users, Microsoft is adding the following new abilities:
- “Enable at scale. During the public beta, private vulnerability reporting could only be enabled on individual repositories. Now, maintainers can enable private vulnerability reporting on all repositories in their organization.
- Multiple credit types. Maintainers can choose how to credit those who find and contribute to vulnerabilities and remediation.
- Integration and automation. A new repository security advisories API supports several new integration and automation workflows:
- Integration with third-party systems: maintainers can pipe private vulnerability reports from GitHub to third-party vulnerability management systems.
- Automated submissions: security researchers can also use the API to programmatically open a private vulnerability report on multiple repositories, a time-saving convenience when packages share a common vulnerability.
- Vulnerability alerts: anyone can keep a close eye on critical repos by scheduling automatic pings for notifications of new vulnerability reports.”
How Private Vulnerability Reporting Works
To use private vulnerability reporting, researchers need to navigate to the security tab of the repository they want to report a vulnerability in,and click on “Report a vulnerability” to open an advisory form. Once the form is submitted, the repository maintainer will receive a notification and can review the report. The maintainer can then decide whether to accept or reject the report and communicate with the researcher privately.
In other GitHub news, the company is rolling out verifiable npm packages. Known as NPM Package Signing, the tool is now available in beta on GitHub Actions for users with the Team, Pro, or Enterprise account.
The feature works by generating a unique key pair for each developer who opts in to NPM package signing. The developer can then use the key pair to sign their npm packages and publish them to GitHub Packages, a hosting service for npm packages.
Tip of the day: If you need to Create, Delete or Resize Partitions, Windows has everything you thanks to the built-in Disk Management-tool.