Working with repository security advisories
Discuss, fix, and disclose security vulnerabilities in your repositories using repository security advisories.
You can use repository security advisories to privately discuss, fix, and publish information about security vulnerabilities in your repository.
The actions you can take in a repository security advisory depend on whether you have admin or write permissions to the security advisory.
Owners and administrators of public repositories can allow security researchers to report vulnerabilities securely in the repository by enabling private vulnerability reporting.
Organization owners and security managers can allow security researchers to report vulnerabilities securely in repositories within the organization by enabling private vulnerability reporting for all its public repositories.
You can create a draft security advisory to privately discuss and fix a security vulnerability in your open source project.
You can edit the metadata and description for a repository security advisory if you need to update details or correct errors.
Security researchers can assess the security settings of a public repository, suggest a security policy and report a vulnerability.
You can create a temporary private fork to privately collaborate on fixing a security vulnerability in your repository.
You can publish a security advisory to alert your community about a security vulnerability in your project.
You can add other users or teams to collaborate on a security advisory with you.
When you remove a collaborator from a repository security advisory, they lose read and write access to the security advisory's discussion and metadata.
You can withdraw a repository security advisory that you've published.