Skip to main content

Permission levels for repository security advisories

The actions you can take in a repository security advisory depend on whether you have admin or write permissions to the security advisory.

This article applies only to repository-level security advisories. Anyone can contribute to global security advisories in the GitHub Advisory Database at github.com/advisories. Edits to global advisories will not change or affect how the advisory appears on the repository. For more information, see "Editing security advisories in the GitHub Advisory Database."

Permissions overview

Anyone with admin permissions to a public repository can create a security advisory.

Anyone with admin permissions to a public repository also has admin permissions to all security advisories in that repository. People with admin permissions to a security advisory can add collaborators, and collaborators have write permissions to the security advisory. For more information about adding a collaborator to a security advisory, see "Adding a collaborator to a repository security advisory."

ActionWrite permissionsAdmin permissions
See a draft security advisory
Add collaborators to the security advisory (see "Adding a collaborator to a repository security advisory")
Edit and delete any comments in the security advisory
Create a temporary private fork in the security advisory (see "Collaborating in a temporary private fork to resolve a repository security vulnerability")
Add changes to a temporary private fork in the security advisory (see "Collaborating in a temporary private fork to resolve a repository security vulnerability")
Create pull requests in a temporary private fork (see "Collaborating in a temporary private fork to resolve a repository security vulnerability")
Merge changes in the security advisory (see "Collaborating in a temporary private fork to resolve a repository security vulnerability")
Add and edit metadata in the security advisory (see "Publishing a repository security advisory")
Add and remove credits for a security advisory (see "Editing a repository security advisory")
Close the draft security advisory
Publish the security advisory (see "Publishing a repository security advisory")

Further reading