GitHub has introduced a new direct channel for security researchers to report vulnerabilities in public repositories. This needs to be manually enabled by repository maintainers and, once active, enables security researchers to report any vulnerabilities identified in their code.
Security researchers often feel responsible for alerting users to a vulnerability that could be exploited. But, in the lack of clear instructions about contacting maintainers of the repository containing the vulnerability, researchers may have to disclose the vulnerability on social media or send direct messages to the maintainer, which could lead to public disclosure of the flaw details.
The default behavior in GitHub for reporting issues is using the functionality of the issue. Both are public, which allows attackers to know there is a problem, and they can use the age of the initial report to further inform their targeting. Attackers still have the window between when a patch is available and when it is universally applied.
The new feature is designed to make it easier for security researchers to report vulnerabilities directly using a simple form. Upon receiving a vulnerability alert, security researchers can accept it, ask more questions, or reject it. Should they decide to accept it, they will then be able to collaborate with the individual who discovered the vulnerability.
The private vulnerability reporting capability comes weeks after Checkmark discovered a flaw in GitHub that could have reportedly enabled attackers to take control of repositories and spread malware to related apps and code.