Skip to main content

Editing a repository security advisory

You can edit the metadata and description for a repository security advisory if you need to update details or correct errors.

People with admin permissions to a repository security advisory can edit the security advisory.

Note: This article applies to editing repository-level advisories as a repository owner.

Users who are not repository owners can contribute to global security advisories in the GitHub Advisory Database at Edits to global advisories will not change or affect how the advisory appears on the repository. For more information, see "Editing security advisories in the GitHub Advisory Database."

About credits for security advisories

You can credit people who helped discover, report, or fix a security vulnerability. If you credit someone, they can choose to accept or decline credit.

If someone accepts credit, the person's username appears in the "Credits" section of the security advisory. Anyone with read access to the repository can see the advisory and the people who accepted credit for it.

If you believe you should be credited for a security advisory, please contact the person who created the advisory and ask them to edit the advisory to include your credit. Only the creator of the advisory can credit you, so please don't contact GitHub Support about credits for security advisories.

Editing a security advisory

  1. On, navigate to the main page of the repository.
  2. Under the repository name, click Security. Security tab
  3. In the left sidebar, under "Reporting", click Advisories. Security advisories tab
  4. In the "Security Advisories" list, click the security advisory you'd like to edit.
  5. In the upper-right corner of the details for the security advisory, click . This will open the security advisory form in edit mode. Edit button for a security advisory
  6. Edit the product and versions affected by the security vulnerability that this security advisory addresses. If applicable, you can add multiple affected products to the same advisory. Security advisory metadata For information about how to specify information on the form, including affected versions , see "Best practices for writing repository security advisories."
  7. Select the severity of the security vulnerability. To assign a CVSS score, select "Assess severity using CVSS" and click the appropriate values in the calculator. GitHub calculates the score according to the "Common Vulnerability Scoring System Calculator." Drop-down menu to select the severity
  8. Add common weakness enumerators (CWEs) for the kinds of security weaknesses that this security advisory addresses. For a full list of CWEs, see the "Common Weakness Enumeration" from MITRE.
  9. If you have an existing CVE identifier, select "I have an existing CVE identifier" and type the CVE identifier in the text box. Otherwise, you can request a CVE from GitHub later. For more information, see "About GitHub Security Advisories."
  10. Type a description of the security vulnerability. Security advisory vulnerability description
  11. Optionally, edit the "Credits" for the security advisory. Credits for a security advisory
  12. Click Update security advisory. "Update security advisory" button
  13. The people listed in the "Credits" section will receive an email or web notification inviting them to accept credit. If a person accepts, their username will be publicly visible once the security advisory is published.

Further reading