GitHub’s private vulnerability reporting feature, which has been in testing since late last year, is now generally available.
future open source maintainer (opens in new tab) Projects can now communicate directly with security researchers and stay informed about security issues without the risk of exposing vulnerabilities.
Maintainers can enable this feature at scale, allowing all repositories to be better protected. Previously, open source project maintainers could only enable features in a single repository.
GitHub security hardening Eric Tooley and Kate Caitlin of GitHub describe the feature as “a private collaboration channel that allows researchers and maintainers to easily report and fix vulnerabilities in public repositories.”
The company first introduced it in November 2022, and since then, maintainers at over 30,000 organizations have turned on the feature, protecting over 180,000 repositories. During that time, security researchers have made over 1,000 submissions of her.
The platform also announced a new Repository Security Advisory API that supports a number of new integration and automation workflows. Among other things, “a maintainer can pipe private vulnerability reports from his GitHub into a third-party vulnerability management system,” but “a security researcher can use the API to retrieve private vulnerability reports for multiple repositories.” You can also open it programmatically.”
Finally, maintainers and security researchers can schedule automatic pings to be notified of new vulnerability reports.
Supply chain cyberattacks have become very common these days, with GitHub being one of the most popular attack vectors. Attackers can exploit the platform to hide malicious code and distribute it to hundreds of projects at once. Securing open source code repositories such as GitHub has therefore become imperative as small businesses scale their digital operations.
websitebuildersnow
GIPHY App Key not set. Please check settings