There are challenges in making initial contact to disclose a vulnerability to the maintainer. To solve this issue, GitHub recently announced the general availability of private vulnerability reporting. Private vulnerability reporting is a private collaboration channel that enables researchers and maintainers to report and fix vulnerabilities on public repositories.
Beta of this feature was announced in 2022. Since then, more than 30k organizations have enabled private vulnerability reporting on more than 180k repositories, receiving more than 1,000 submissions from security researchers.
Based on the feedback during beta phase, GitHub has made following improvements:
- Enable at scale. During the public beta, private vulnerability reporting could only be enabled on individual repositories. Now, maintainers can enable private vulnerability reporting on all repositories in their organization
- Multiple credit types. Maintainers can choose how to credit those who find and contribute to vulnerabilities and remediation
- Integration and automation. A new repository security advisories API supports several new integration and automation workflows
You can learn more about this feature here.