GitHub allows developers to silently notify others of discovered vulnerabilities. The company says this will avoid the “name and shame” game and prevent exploitation that may result from public disclosure.
In blog post (opens in a new tab) earlier this week, GitHub said that given the way the platform is currently set up, sometimes there is no option but to disclose the vulnerability publicly – and before malware removal software can be deployed – alerting potential cybercriminals.
“Security researchers often feel responsible for alerting users to an exploitable vulnerability,” the blog reads. “If there are no clear instructions on how to contact the maintainers of the affected repository. This could potentially lead to public disclosure of details of the vulnerability.”
Reporting private vulnerabilities
To address this issue, GitHub has now introduced Private Vulnerability Reporting – essentially a simple report form.
When a developer tries to contact the maintainer of an affected vulnerability through Private Vulnerability Reporting, the maintainer can accept it, ask more questions, or reject it.
“If you accept the report, you are ready to work together to solve the vulnerability in private with a security researcher,” the post explains.
The Microsoft-owned platform also hopes that this method of disclosure will improve troubleshooting, as reports are handled in one place. Moreover, it gives maintainers the opportunity to discuss vulnerability details in private with security researchers and ultimately use patch management software to collaborate on a patch.
The repository community welcomed the news, Register (opens in a new tab) reported. Many CTOs, tech engineers, and threat hunters were interviewed, all agreeing that such a feature was highly sought after on GitHub.