Working with repository security advisories

Discuss, fix, and disclose security vulnerabilities in your repositories using repository security advisories.

About repository security advisories
You can use repository security advisories to privately discuss, fix, and publish information about security vulnerabilities in your repository.
Permission levels for repository security advisories
The actions you can take in a repository security advisory depend on whether you have admin or write permissions to the security advisory.
Configuring private vulnerability reporting for a repository
Owners and administrators of public repositories can allow security researchers to report vulnerabilities securely in the repository by enabling private vulnerability reporting.
Configuring private vulnerability reporting for an organization
Organization owners and security managers can allow security researchers to report vulnerabilities securely in repositories within the organization by enabling private vulnerability reporting for all its public repositories.
Creating a repository security advisory
You can create a draft security advisory to privately discuss and fix a security vulnerability in your open source project.
Editing a repository security advisory
You can edit the metadata and description for a repository security advisory if you need to update details or correct errors.
Evaluating the security settings of a repository
Security researchers can assess the security settings of a public repository, suggest a security policy and report a vulnerability.
Collaborating in a temporary private fork to resolve a repository security vulnerability
You can create a temporary private fork to privately collaborate on fixing a security vulnerability in your repository.
Publishing a repository security advisory
You can publish a security advisory to alert your community about a security vulnerability in your project.
Adding a collaborator to a repository security advisory
You can add other users or teams to collaborate on a security advisory with you.
Removing a collaborator from a repository security advisory
When you remove a collaborator from a repository security advisory, they lose read and write access to the security advisory's discussion and metadata.
Withdrawing a repository security advisory
You can withdraw a repository security advisory that you've published.