GitHub is launching a new channel for security researchers to disclose vulnerabilities in open source software. Vulnerability reporting is a complicated process as there are no clear instructions on how to contact the open source project maintainers. This results in security researchers having to report vulnerabilities using social media or by creating a public issue against the code repository. Both of these approaches result in the public disclosure of the vulnerability details before the project maintainers have an opportunity to review and fix. With GitHub’s new approach, project maintainers will have more control over the way vulnerability details are communicated to them and will make it less likely that vulnerabilities will be exposed to the public ahead of the fixes. The feature is currently in beta and you can enable it by enabling “private vulnerability reporting” under settings and Code security and analysis.
This segment was created for the It’s 5:05 podcast