GitHub lets security researchers privately report bugs in third-party repos

GitHub allows security researchers to privately report vulnerabilities to repository administrators. This was already possible in beta, but now it will be widely available to 30,000 organizations that collectively manage more than 180,000 repos.

GitHub writes in a blog post that it makes private vulnerability reporting generally available. This option allows external security researchers to easily contact repository administrators if they find vulnerabilities. Administrators can enable that feature for their repos, allowing researchers to privately connect with the right person without having to go to a company or agency’s website to find a contact or email address. GitHub announced the feature in November of last year at its developer conference GitHub Universe. Now all repo admins can enable the feature from the Code security and analysis settings menu. It is an opt-in.

According to GitHub, there are now 30,000 organizations that have enabled private vulnerability reporting. That would apply to more than 180,000 repositories, which together have generated more than a thousand reports.

GitHub immediately adds some new aspects to that functionality as well. For example, the notifications can now be enabled for all repos within an organization; during the beta period, this was only possible for individual repos. Various APIs will also become available, including one that makes it possible to also submit a private report via third-party platforms. In addition, security researchers can automatically report a vulnerability in all available repos where that bug occurs.