Working with repository security advisories

Discuss, fix, and disclose security vulnerabilities in your repositories using repository security advisories.

Deprecation note: GitHub is deprecating repository security advisories in private repositories that do not have GitHub Advanced Security (GHAS) enabled. As of 15th February 2024, you will no longer be able to create security advisories in private repositories that do not have GHAS enabled.

This deprecation does not affect published security advisories on public repositories. It also does not affect security advisories on private repositories that have GHAS enabled.

Formerly published advisories in private repositories that do not have GHAS enabled will disappear. If you need to save previously published advisories, you can download them using the GitHub REST API. For more information, see "Repository security advisories" in the REST API documentation.

About repository security advisories

You can use repository security advisories to privately discuss, fix, and publish information about security vulnerabilities in your repository.

Permission levels for repository security advisories

The actions you can take in a repository security advisory depend on whether you have admin or write permissions to the security advisory.

Configuring private vulnerability reporting for a repository

Owners and administrators of public repositories can allow security researchers to report vulnerabilities securely in the repository by enabling private vulnerability reporting.

Configuring private vulnerability reporting for an organization

Organization owners and security managers can allow security researchers to report vulnerabilities securely in repositories within the organization by enabling private vulnerability reporting for all its public repositories.

Creating a repository security advisory

You can create a draft security advisory to privately discuss and fix a security vulnerability in your open source project.

Editing a repository security advisory

You can edit the metadata and description for a repository security advisory if you need to update details or correct errors.

Evaluating the security settings of a repository

Security researchers can assess the security settings of a public repository, suggest a security policy and report a vulnerability.

Collaborating in a temporary private fork to resolve a repository security vulnerability

You can create a temporary private fork to privately collaborate on fixing a security vulnerability in your repository.

Publishing a repository security advisory

You can publish a security advisory to alert your community about a security vulnerability in your project.

Adding a collaborator to a repository security advisory

You can add other users or teams to collaborate on a security advisory with you.

Removing a collaborator from a repository security advisory

When you remove a collaborator from a repository security advisory, they lose read and write access to the security advisory's discussion and metadata.

Withdrawing a repository security advisory

You can withdraw a repository security advisory that you've published.