Skip to main content

Managing privately reported security vulnerabilities

Repository maintainers can manage security vulnerabilities that have been privately reported to them by security reseachers for repositories where private vulnerability reporting is enabled.

Who can use this feature

Anyone with admin permissions to a repository can see, review, and manage privately-reported vulnerabilities for the repository.

Note: The private reporting of vulnerabilities is currently in beta and subject to change.

Owners and administrators of public repositories can enable private vulnerability reporting on their repositories. For more information, see "Configuring private vulnerability reporting for a repository."

About privately reporting a security vulnerability

Private vulnerability reporting makes it easy for security researchers to report vulnerabilities directly to you using a simple form.

When a security researcher reports a vulnerability privately, you are notified and can choose to either accept it, ask more questions, or reject it. If you accept the report, you're ready to collaborate on a fix for the vulnerability in private with the security researcher.

Managing security vulnerabilities that are privately reported

GitHub notifies repository maintainers when security researchers privately report vulnerabilities in their repository, and sends notifications if maintainers watch the repository or if they have notifications enabled for the repository. For more information, see "Configuring notifications."

  1. On GitHub.com, navigate to the main page of the repository.

  2. Under the repository name, click Security. Security tab

  3. In the left sidebar, under "Reporting", click Advisories. Security advisories tab

  4. Click the advisory you want to review. An advisory that is privately reported will have a status of Needs triage.

    Screenshot showing an example of advisory list

  5. Carefully review the report. You can:

    • Collaborate with the security researcher on a patch in private, by clicking Start a temporary private fork. This gives you a place for further discussions with the contributor without changing the status of the proposed advisory from Needs triage.

    • Accept the vulnerability report as a draft advisory on GitHub, by clicking Accept and open as draft. If you choose this option:

      • This doesn't make the report public.
      • The report becomes a draft repository security advisory and you can work on it in the same way as any draft advisory that you create. For more information on security advisories, see "About repository security advisories."
    • Reject the report by clicking Close security advisory. Where possible, you should add a comment explaining why you don't consider the report a security risk before you close the advisory.

      Screenshot showing the options available to the repository maintainer when reviewing an externally submitted vulnerability report