GitHub allows developers to notify their peers of discovered vulnerabilities – quietly. The company says this will avoid the “name and shame” game and prevent exploitation that could result from public disclosure.
In a blog post (opens in new tab) earlier this week, GitHub said that given the way the platform is currently set up, sometimes there is no option but to make a vulnerability public – and before malware removal software can be deployed – to warn potential threat actors.
“Security researchers often feel responsible for warning users about a vulnerability that can be exploited,” the blog reads. “If there are no clear instructions to contact administrators of the repository containing the vulnerability. It could potentially lead to a public disclosure of the details of the vulnerability.”
Private Vulnerability Reporting
To address the issue, GitHub has now introduced private vulnerability reporting – essentially a simple reporting form.
When a developer tries to contact the administrator of the affected vulnerability through private vulnerability reporting, they can choose to accept the vulnerability, ask more questions, or dismiss the vulnerability.
“If you accept the report, you are ready to work with the security researcher on a fix for the vulnerability,” the post explains.
The Microsoft-owned platform also hopes this method of disclosure will streamline troubleshooting efforts as reports are handled in one place. In addition, it gives administrators the ability to privately discuss vulnerability details with security researchers and ultimately use patch management software to collaborate on a fix.
The repository community has welcomed the news, The register (opens in new tab) reported. It spoke to multiple CTOs, technical engineers, and threat hunters, all of whom agreed that there was a high demand for such a feature on GitHub.