| title | intro | versions | type | topics | shortTitle | redirect_from | |||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Privately reporting a security vulnerability |
Some public repositories configure security advisories so that anyone can report security vulnerabilities directly and privately to the maintainers. |
|
how_to |
|
Privately reporting |
|
{% data reusables.security-advisory.private-vulnerability-reporting-enable %}
{% note %}
Notes:
- If you have admin or security permissions for a public repository, you don't need to submit a vulnerability report. Instead, you can create a draft security advisory directly. For more information, see "AUTOTITLE."
- The ability to privately report a vulnerability in a repository is not related to the presence of a
SECURITY.mdfile in that repository's root ordocsdirectory.- The
SECURITY.mdfile contains the security policy for the repository. Repository administrators can add and use this file to provide public instructions for how to report a security vulnerability in their repository. For more information, see "AUTOTITLE." - You can only report a vulnerability privately for repositories where private vulnerability reporting is enabled, and you don't have to follow the instructions in the
SECURITY.mdfile. This reporting process is fully private, and {% data variables.product.prodname_dotcom %} notifies the repository administrators directly about your submission.
- The
{% endnote %}
Security researchers often feel responsible for alerting users to a vulnerability that could be exploited. If there are no clear instructions about contacting maintainers of the repository containing the vulnerability, security researchers may have no other choice but to post about the vulnerability on social media, send direct messages to the maintainer, or even create public issues. This situation can potentially lead to a public disclosure of the vulnerability details.
Private vulnerability reporting makes it easy for security researchers to report vulnerabilities directly to the repository maintainer using a simple form.
For security researchers, the benefits of using private vulnerability reporting are:
- Less frustration, and less time spent trying to figure out how to contact the maintainer.
- A smoother process for disclosing and discussing vulnerability details.
- The opportunity to discuss vulnerability details privately with repository maintainer.
{% data reusables.security-advisory.private-vulnerability-reporting-disabled %}
If you do not have admin or security permissions for a public repository, you can still privately report a security vulnerability to repository maintainers. You can also evaluate the general security of a public repository and suggest a security policy. For more information, see "AUTOTITLE."
{% data reusables.security-advisory.reporting-a-vulnerability-non-admin %}
The next steps depend on the action taken by the repository maintainer. For more information, see "AUTOTITLE."