You can use repository security advisories to privately discuss, fix, and publish information about security vulnerabilities in your repository.
The actions you can take in a repository security advisory depend on whether you have admin or write permissions to the security advisory.
Owners and administrators of public repositories can allow security researchers to report vulnerabilities securely in the repository by enabling private vulnerability reporting.
You can create a draft security advisory to privately discuss and fix a security vulnerability in your open source project.
You can edit the metadata and description for a repository security advisory if you need to update details or correct errors.
You can create a temporary private fork to privately collaborate on fixing a security vulnerability in your repository.
You can publish a security advisory to alert your community about a security vulnerability in your project.
You can add other users or teams to collaborate on a security advisory with you.
When you remove a collaborator from a repository security advisory, they lose read and write access to the security advisory's discussion and metadata.
You can withdraw a repository security advisory that you've published.