Skip to main content

Configuring private vulnerability reporting for a repository

Owners and administrators of public repositories can allow security researchers to report vulnerabilities securely in the repository by enabling private vulnerability reporting.

Who can use this feature

Anyone with admin permissions to a public repository can enable and disable private vulnerability reporting for the repository.

Note: The private reporting of vulnerabilities is currently in beta and subject to change.

About privately reporting a security vulnerability

Security researchers often feel responsible for alerting users to a vulnerability that could be exploited. If there are no clear instuctions about contacting maintainers of the repository containing the vulnerability, security researchers may have no other choice but to post about the vulnerability on social media, send direct messages to the maintainer, or even create public issues. This situation can potentially lead to a public disclosure of the vulnerability details.

Private vulnerability reporting makes it easy for security researchers to report vulnerabilities directly to you using a simple form.

When a security researcher reports a vulnerability privately, you are notified and can choose to either accept it, ask more questions, or reject it. If you accept the report, you're ready to collaborate on a fix for the vulnerability in private with the security researcher.

For maintainers, the benefits of using private vulnerability reporting are:

  • Less risk of being contacted publicly, or via undesired means.
  • Receive reports in the same platform you resolve them in for simplicity
  • The security researcher creates or at least initiates the advisory report on the behalf of maintainers.
  • Maintainers receive reports in the same platform as the one used to discuss and resolve the advisories.
  • Vulnerability less likely to be in the public eye.
  • The opportunity to discuss vulnerability details privately with security researchers and collaborate on the patch.

Enabling or disabling private vulnerability reporting for a repository

  1. On GitHub.com, navigate to the main page of the repository.

  2. Under your repository name, click Settings. Repository settings button

  3. In the "Security" section of the sidebar, click Code security and analysis.

  4. Under "Code security and analysis", to the right of "Private vulnerability reporting", click Enable or Disable, to enable or disable the feature, respectively.

    Screenshot of the "Code security and analysis" page with the "Enable" button emphasized for private vulnerability reporting

When a maintainer enables private security reporting for their repository, security researchers will see a new button in the Advisories page of the repository. The security researcher can click this button to privately report a security vulnerability to the repository maintainer.

Screenshot showing the "Report a vulnerability" button