Guidance on reporting and writing information about vulnerabilities

Best practices for writing security advisories and managing privately reported security vulnerabilities.

About coordinated disclosure of security vulnerabilities
Vulnerability disclosure is a coordinated effort between security reporters and repository maintainers.
Best practices for writing repository security advisories
When you create or edit security advisories, the information you provide is easier for other users to understand when you specify the ecosystem, package name, and affected versions using the standard formats.
Privately reporting a security vulnerability
Some public repositories configure security advisories so that anyone can report security vulnerabilities directly and privately to the maintainers.
Managing privately reported security vulnerabilities
Repository maintainers can manage security vulnerabilities that have been privately reported to them by security reseachers for repositories where private vulnerability reporting is enabled.

About coordinated disclosure of security vulnerabilities