Skip to main content

Настройка отчетов о частных уязвимостях для организации

Владельцы организации и руководители по безопасности могут позволить исследователям безопасности безопасно сообщать об уязвимостях в репозиториях в организации, обеспечивая отчеты о частных уязвимостях для всех своих общедоступных репозиториев.

Кто может использовать эту функцию?

Anyone with admin permissions to an organization, or with a security manager role within the organization, can enable and disable private vulnerability reporting for that organization.

About privately reporting a security vulnerability

Security researchers often feel responsible for alerting users to a vulnerability that could be exploited. If there are no clear instructions about contacting maintainers of the repository containing the vulnerability, security researchers may have no other choice but to post about the vulnerability on social media, send direct messages to the maintainer, or even create public issues. This situation can potentially lead to a public disclosure of the vulnerability details.

Private vulnerability reporting makes it easy for security researchers to report vulnerabilities directly to you using a simple form.

When a security researcher reports a vulnerability privately, you are notified and can choose to either accept it, ask more questions, or reject it. If you accept the report, you're ready to collaborate on a fix for the vulnerability in private with the security researcher.

For organization owners and security managers, the benefits of using private vulnerability reporting are:

  • Less risk of being contacted publicly, or via undesired means.
  • Receive reports in the same platform you resolve them in for simplicity
  • The security researcher creates or at least initiates the advisory report on the behalf of maintainers.
  • Maintainers receive reports in the same platform as the one used to discuss and resolve the advisories.
  • Vulnerability less likely to be in the public eye.
  • The opportunity to discuss vulnerability details privately with security researchers and collaborate on the patch.

The instructions below refer to enablement at organization level. For information about enabling the feature for a repository, see "Configuring private vulnerability reporting for a repository."

When a new vulnerability is privately reported on a repository where private vulnerability reporting is enabled, GitHub Enterprise Cloud notifies repository maintainers and security managers if:

  • They're watching the repository for all activity.
  • They have notifications enabled for the repository.

For more information about configuring notification preferences, see "Configuring private vulnerability reporting for a repository."

Enabling or disabling private vulnerability reporting for all the existing public repositories in an organization

  1. In the upper-right corner of GitHub, select your profile photo, then click Your organizations.

  2. Next to the organization, click Settings.

  3. In the "Security" section of the sidebar, click Code security and analysis.

    Note

    If your organization is enrolled in the security configurations and global settings public beta, instead of "Code security and analysis", you will see a "Code security" dropdown menu. Select Code security, then click Global settings. For next steps on enabling private vulnerability reporting and other security features at scale with security configurations, see "Applying the GitHub-recommended security configuration in your organization."

  4. Under "Code security and analysis", to the right of "Private vulnerability reporting", click Enable all or Disable all, to enable or disable the feature for all the public repositories within the organization, respectively.

    Screenshot of the "Code security and analysis" page with the "Disable all" and the "Enable all" button emphasized for private vulnerability reporting.

Enabling or disabling private vulnerability reporting for new public repositories added to the organization

  1. In the upper-right corner of GitHub, select your profile photo, then click Your organizations.

  2. Next to the organization, click Settings.

  3. In the "Security" section of the sidebar, click Code security and analysis.

    Note

    If your organization is enrolled in the security configurations and global settings public beta, instead of "Code security and analysis", you will see a "Code security" dropdown menu. Select Code security, then click Global settings. For next steps on setting a default security configuration for new public repositories that will automatically enable private vulnerability reporting, see "Applying the GitHub-recommended security configuration in your organization."

  4. Under "Code security and analysis", to the right of the feature, click Automatically enable for new public repositories.

    Screenshot of the "Code security and analysis" page with the "Automatically enable for new public repositories" checkbox emphasized for private vulnerability reporting.

  5. To the right of "Private vulnerability reporting", click Enable all or Disable all, to enable or disable the feature for all new public repositories that will be added to the organization, respectively.

What having private vulnerability reporting enabled for a repository looks like for a security researcher

When private vulnerability reporting is enabled for a repository, security researchers will see a new button in the Advisories page of the repository. The security researcher can click this button to privately report a security vulnerability to the repository maintainer.

Screenshot showing the "Report a vulnerability" button for a repository where private vulnerability reporting has been enabled.

Security researchers can also use the REST API to privately report security vulnerabilities. For more information, see "Privately report a security vulnerability."