Anyone with admin permissions to a repository can create a security advisory.
Note: If you are a security researcher, you should directly contact maintainers to ask them to create security advisories or issue CVEs on your behalf in repositories that you don't administer. However, if private vulnerabiliy reporting is enabled for the repository, you can privately report a vulnerability yourself. For more information, see "Privately reporting a security vulnerability."
- On GitHub.com, navigate to the main page of the repository.
- Under the repository name, click Security.
- In the left sidebar, under "Reporting", click Advisories.
- Click New draft security advisory to open the draft advisory form. The fields marked with an asterisk are required.
- Type a title for your security advisory.
- Edit the product and versions affected by the security vulnerability that this security advisory addresses. If applicable, you can add multiple affected products to the same advisory. For information about how to specify information on the form, including affected versions , see "Best practices for writing repository security advisories."
- Select the severity of the security vulnerability. To assign a CVSS score, select "Assess severity using CVSS" and click the appropriate values in the calculator. GitHub calculates the score according to the "Common Vulnerability Scoring System Calculator."
- Add common weakness enumerators (CWEs) for the kinds of security weaknesses that this security advisory addresses. For a full list of CWEs, see the "Common Weakness Enumeration" from MITRE.
- If you have an existing CVE identifier, select "I have an existing CVE identifier" and type the CVE identifier in the text box. Otherwise, you can request a CVE from GitHub later. For more information, see "About GitHub Security Advisories."
- Type a description of the security vulnerability.
- Click Create draft security advisory.
- Comment on the draft security advisory to discuss the vulnerability with your team.
- Add collaborators to the security advisory. For more information, see "Adding a collaborator to a repository security advisory."
- Privately collaborate to fix the vulnerability in a temporary private fork. For more information, see "Collaborating in a temporary private fork to resolve a repository security vulnerability."
- Add individuals who should receive credit for contributing to the security advisory. For more information, see "Editing a repository security advisory."
- Publish the security advisory to notify your community of the security vulnerability. For more information, see "Publishing a repository security advisory."