Image: © bilalulker/Stock.adobe.com
Last November, GitHub introduced private bug reporting to secure the open-source supply chain. This included private vulnerability reports.
GitHub, the code hosting platform that enables software developers to collaborate, has made a private vulnerability reporting feature generally available for free for public repositories.
The platform announced the news last week in a blog post. It said that the tool would make it easier for researchers and maintainers to report and fix vulnerabilities on public repositories.
In 2022, GitHub announced the public beta of private vulnerability reporting to test a solution to some of the problems researchers and maintainers were facing.
“Since then, maintainers for more than 30,000 organisations have enabled private vulnerability reporting on more than 180,000 repositories, receiving more than 1,000 submissions from security researchers,” the blog post said.
GitHub received more detailed feedback from its open source community of users, which led it to make the private vulnerability reporting tool generally available to the public.
Based on the feedback from the open source testers, it made improvements to the tool before releasing it to the public.
Since the changes were made, maintainers can enable private vulnerability reporting on all repositories in their organisation, not just on individual repositories.
Maintainers can now also choose how they credit people who find and contribute to fixing vulnerabilities.
Finally, a new repository security advisories API can support several new integration and automation workflows.
Integration with third-party systems enables maintainers to pipe private vulnerability reports from GitHub to other vulnerability management systems.
Security researchers can use the API to programmatically open a private vulnerability report on multiple repositories.
And it is possible for anyone to schedule automatic pings for notifications of new vulnerability reports.
Last November, GitHub introduced private bug reporting to secure the open-source supply chain. This included private vulnerability reports.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.
