GitHub enables Private Vulnerability Reporting across all repositories

GitHub has introduced a new feature called private vulnerability reporting, which allows security researchers to privately disclose security issues to the maintainers of open-source projects. Since its introduction in November 2022, more than 30,000 organizations have enabled it on over 180,000 repositories. Previously, the option to report private vulnerabilities could only be activated on single repositories, but now it can be enabled across all repositories belonging to an organization.

This new functionality ensures that owners and administrators of public repositories receive bug reports on the same platform where they get resolved, discuss all details with researchers, and securely collaborate with them to create a patch. Security researchers can submit private security reports directly on GitHub from the Security tab under the repository name by clicking on the 'Report a vulnerability' in the left sidebar, under Reporting Advisories. Private bug reports can also be sent via the GitHub REST API using the parameters described in the documentation.

In addition to private vulnerability reporting, GitHub has also announced the general availability of its secret scanning alerts service for all public repositories. This service scans the contents of public repositories to detect any secrets or credentials that may have been inadvertently exposed. The service will now notify repository owners of any potential security vulnerabilities, allowing them to take appropriate action to protect their code and data. With these new features, GitHub is making it easier for maintainers and security researchers to work together to keep open-source projects secure.