GitHub Now Supports Private Vulnerability Reporting For Public Repositories

Written by

Code hosting company GitHub has unveiled a new direct channel for security researchers to report vulnerabilities in public repositories.

The feature needs to be manually enabled by repository maintainers and, once active, enables security researchers to report any vulnerabilities identified in their code.

“Owners and administrators of public repositories can allow security researchers to report vulnerabilities securely in the repository by enabling private vulnerability reporting,” the Microsoft-owned platform wrote in a recent blog post.

According to the company, security researchers often feel responsible for alerting users to a vulnerability that could be exploited.

However, in the lack of clear instructions about contacting maintainers of the repository containing the vulnerability, researchers may have to disclose the vulnerability on social media or send direct messages to the maintainer, which could lead to public disclosure of the flaw details.

“The default behavior in GitHub to reporting issues is using the issues functionality (or potentially a git request),” said John Bambenek, principal threat hunter at Netenrich, referring to the previous system of disclosing vulnerabilities on GitHub.

“Both are public, which allows attackers to know there is a problem, and they can use the age of the initial report to further inform their targeting,” Bambenek told Infosecurity. “Attackers still have the window between when a patch is available and when it is universally applied. We don’t need to give them even more time.”

The new feature has therefore been designed to make it easier for security researchers to report vulnerabilities directly using a simple form.

“Full props to Github here, not just for creating a workflow to facilitate vulnerability disclosure, but more importantly, for normalizing the importance of security feedback from the outside world for F/OSS maintainers and developers,” said Casey Ellis, founder and CTO at Bugcrowd.

Upon receiving a vulnerability alert, security researchers can accept it, ask more questions or reject it. Should they decide to accept it, they will then be able to collaborate with the individual who discovered the vulnerability.

The private vulnerability reporting capability comes weeks after Checkmarx discovered a flaw in GitHub that could have reportedly enabled attackers to take control of repositories and spread malware to related apps and code.

What’s hot on Infosecurity Magazine?