GitHub now allows enabling private vulnerability reporting at scale

GitHub announced that private vulnerability reporting is now generally available and can be enabled at scale, on all repositories belonging to an organization.

Once toggled on, security researchers can use this dedicated communications channel to privately disclose security issues to an open-source project's maintainers without accidentally leaking vulnerability details.

This is "a private collaboration channel that makes it easier for researchers and maintainers to report and fix vulnerabilities on public repositories," GitHub's Eric Tooley and Kate Catlin said.

Since its introduction as an opt-in feature in November 2022 during the GitHub Universe 2022 global developer event, "maintainers for more than 30k organizations have enabled private vulnerability reporting on more than 180k repositories, receiving more than 1,000 submissions from security researchers."

Easy to enable across an org's repos

During the public beta test phase, the option to report private vulnerabilities could only be activated by maintainers and repository owners only on single repositories.

Starting this week, they can now enable this direct bug-reporting channel for all repositories within their organization.

GitHub has also added integration and automation support via a new repository security advisories API that enables dispatching private reports to third-party vulnerability management systems and submitting the same report to multiple repos sharing a security flaw.

It can also be configured so private bug reporting is enabled automatically on all new public repositories.

The functionality can be enabled under 'Code security and analysis' by clicking the 'Enable all' button next to the 'Private vulnerability reporting' option.



Enabling private vulnerability reporting (GitHub)

Source: bleepingcomputer.com