Skip to main content

Guidance on reporting and writing information about vulnerabilities

Best practices for writing security advisories and managing privately reported security vulnerabilities.

About coordinated disclosure of security vulnerabilities

Vulnerability disclosure is a coordinated effort between security reporters and repository maintainers.

Best practices for writing repository security advisories

When you create or edit security advisories, the information you provide is easier for other users to understand when you specify the ecosystem, package name, and affected versions using the standard formats.

Privately reporting a security vulnerability

Some public repositories configure security advisories so that anyone can report security vulnerabilities directly and privately to the maintainers.

Managing privately reported security vulnerabilities

Repository maintainers can manage security vulnerabilities that have been privately reported to them by security researchers for repositories where private vulnerability reporting is enabled.