Anyone with admin permissions to a repository can create a security advisory.
Note: If you are a security researcher, you should directly contact maintainers to ask them to create security advisories or issue CVEs on your behalf in repositories that you don't administer.
- On GitHub, navigate to the main page of the repository.
- Under your repository name, click Security.
- In the left sidebar, click Security advisories.
- Click New draft security advisory.
- Type a title for your security advisory.
- Edit the product and versions affected by the security vulnerability that this security advisory addresses.
- Select the severity of the security vulnerability. To assign a CVSS score, select "Assess severity using CVSS" and click the appropriate values in the calculator. GitHub calculates the score according to the "Common Vulnerability Scoring System Calculator."
- Add common weakness enumerators (CWEs) for the kinds of security weaknesses that this security advisory addresses. For a full list of CWEs, see the "Common Weakness Enumeration" from MITRE.
- If you have an existing CVE identifier, select "I have an existing CVE identifier" and type the CVE identifier in the text box. Otherwise, you can request a CVE from GitHub later. For more information, see "About GitHub Security Advisories."
- Type a description of the security vulnerability.
- Click Create draft security advisory.
- Comment on the draft security advisory to discuss the vulnerability with your team.
- Add collaborators to the security advisory. For more information, see "Adding a collaborator to a security advisory."
- Privately collaborate to fix the vulnerability in a temporary private fork. For more information, see "Collaborating in a temporary private fork to resolve a security vulnerability."
- Add individuals who should receive credit for contributing to the security advisory. For more information, see "Editing a security advisory."
- Publish the security advisory to notify your community of the security vulnerability. For more information, see "Publishing a security advisory."