Skip to main content
 

 

Creating a repository security advisory

In this article

You can create a draft security advisory to privately discuss and fix a security vulnerability in your open source project.

Anyone with admin permissions to a repository can create a security advisory.

Note: If you are a security researcher, you should directly contact maintainers to ask them to create security advisories or issue CVEs on your behalf in repositories that you don't administer.

Creating a security advisory

  1. On GitHub.com, navigate to the main page of the repository.
  2. Under your repository name, click Security. Security tab
  3. In the left sidebar, click Security advisories. Security advisories tab
  4. Click New draft security advisory. Open draft advisory button
  5. Type a title for your security advisory.
  6. Edit the product and versions affected by the security vulnerability that this security advisory addresses. If applicable, you can add multiple affected products to the same advisory. Security advisory metadata
  7. Select the severity of the security vulnerability. To assign a CVSS score, select "Assess severity using CVSS" and click the appropriate values in the calculator. GitHub calculates the score according to the "Common Vulnerability Scoring System Calculator." Drop-down menu to select the severity
  8. Add common weakness enumerators (CWEs) for the kinds of security weaknesses that this security advisory addresses. For a full list of CWEs, see the "Common Weakness Enumeration" from MITRE.
  9. If you have an existing CVE identifier, select "I have an existing CVE identifier" and type the CVE identifier in the text box. Otherwise, you can request a CVE from GitHub later. For more information, see "About GitHub Security Advisories."
  10. Type a description of the security vulnerability. Security advisory vulnerability description
  11. Click Create draft security advisory. Create security advisory button

Next steps