Configurar los informes de vulnerabilidades privados para una organización

Los propietarios de la organización y los administradores de seguridad pueden permitir que los investigadores de seguridad informen de vulnerabilidades de forma segura en los repositorios de la organización mediante la habilitación de informes de vulnerabilidades privados para todos sus repositorios públicos.

¿Quién puede utilizar esta característica?

Propietarios de la organización, administradores de seguridad y miembros de la organización con el rol de administrador

En este artículo

About privately reporting a security vulnerability

Security researchers often feel responsible for alerting users to a vulnerability that could be exploited. If there are no clear instructions about contacting maintainers of the repository containing the vulnerability, security researchers may have no other choice but to post about the vulnerability on social media, send direct messages to the maintainer, or even create public issues. This situation can potentially lead to a public disclosure of the vulnerability details.

Private vulnerability reporting makes it easy for security researchers to report vulnerabilities directly to you using a simple form.

When a security researcher reports a vulnerability privately, you are notified and can choose to either accept it, ask more questions, or reject it. If you accept the report, you're ready to collaborate on a fix for the vulnerability in private with the security researcher.

For organization owners and security managers, the benefits of using private vulnerability reporting are:

  • Receiving reports in the same platform where they are resolved
  • Security researchers creating or initiating the advisory report on behalf of maintainers
  • Reduced risk of vulnerabilities being in the public eye before a fix is available
  • The opportunity to discuss vulnerability details privately with security researchers and collaborate on the patch

The instructions below refer to enablement at organization level. For information about enabling the feature for a repository, see Configuring private vulnerability reporting for a repository.

When a new vulnerability is privately reported on a repository where private vulnerability reporting is enabled, GitHub notifies repository maintainers and security managers if:

  • They're watching the repository for all activity.
  • They have notifications enabled for the repository.

For more information about configuring notification preferences, see Configuring private vulnerability reporting for a repository.

Enabling or disabling private vulnerability reporting for public repositories added to the organization

You can enable or disable private vulnerability reporting for new public repositories added to the organization using the GitHub-recommended security configuration, or you can create a custom security configuration. For more information, see Applying the GitHub-recommended security configuration in your organization and Creating a custom security configuration.

What having private vulnerability reporting enabled for a repository looks like for a security researcher

When private vulnerability reporting is enabled for a repository, security researchers will see a new button in the Advisories page of the repository. The security researcher can click this button to privately report a security vulnerability to the repository maintainer.

Screenshot showing the "Report a vulnerability" button for a repository where private vulnerability reporting has been enabled.

Security researchers can also use the REST API to privately report security vulnerabilities. For more information, see Privately report a security vulnerability.