GitHub now allows developers to discreetly warn their peers of discovered vulnerabilities. According to the company, doing so will avoid the “name and shame” game and stop any unwanted misuses brought on by public revelation.
GitHub stated in a blog post earlier this week that given the way the platform is now set up, there is sometimes no other alternative but to publicly expose a vulnerability that risks notifying prospective threat actors before malware removal tools can be implemented. For researchers, who are frequently saddled with decisions that can result in further security issues, being able to report code vulnerabilities in confidence is crucial.
According to the blog, security researchers frequently feel accountable for warning users about a vulnerability that could be exploited. “If there are no clear instructions about contacting maintainers of the repository containing the vulnerability. It can potentially lead to public disclosure of the vulnerability details.”
GitHub has now added private vulnerability reporting, which is essentially a simple reporting form, to address the problem. A security researcher or developer can use the new private reporting feature to report a vulnerability report to a public repository. The receiver can either accept it, implying to the researcher a willingness to collaborate with them to fix the problem, or it can reject it, ask more questions, and/or signal other options.
By visiting the main page of their repository, clicking Settings, and then selecting “Code security and analysis” under “Security,” code maintainers or developers can activate private reporting on GitHub.com. They can select to enable or disable the option by clicking the arrow to the right of “Private vulnerability reporting.”
Since complaints are handled in a single location, the Microsoft-owned platform also anticipates that the new reporting style would simplify troubleshooting procedures. Moreover, it offers code maintainers the chance to privately discuss vulnerability details with security researchers and developers before working together on a solution using patch management software.
The initiative was one of several announcements made by GitHub during the GitHub Universe 2022 developer event this month.