GitHub lets security researchers privately report bugs in external repos

GitHub allows security researchers to privately report vulnerabilities to repository administrators. This was already possible in beta, but now it will be widely available to 30,000 organizations that together manage more than 180,000 repos.

GitHub writes in a blog post that it makes private vulnerability reporting generally available. With that option, external security researchers can easily contact repository administrators if they find vulnerabilities in it. Administrators can enable that feature for their repos, allowing researchers to privately contact the right person without having to first search for a contact person or email address on a company or agency website. GitHub announced the feature in November of last year during its GitHub Universe developer conference. Now all repo administrators can enable the feature via the Code security and analysis settings menu. It is an opt-in.

According to GitHub, there are now 30,000 organizations that have enabled private vulnerability reporting. This would apply to more than 180,000 repositories, which together have generated more than a thousand reports.

GitHub also immediately adds some new aspects to that functionality. For example, notifications can now be enabled for all repos within an organization; During the beta period this was only possible for individual repos. Various APIs will also become available, including one that makes it possible to submit a private notification via third-party platforms. In addition, security researchers can automatically report a vulnerability in all available repos where that bug occurs.