GitHub allows developers to notify their peers of discovered vulnerabilities – quietly. The company says this will avoid the “name and shame” game and prevent exploits that might result from public disclosure.
in blog post (Opens in a new tab) Earlier this week, GitHub said that due to the way this platform is currently set up, there is sometimes no other option than to publicly disclose a vulnerability – and before that Malware removal software Can be deployed – alerting potential threat actors.
“Security researchers often feel responsible for alerting users to a vulnerability that could be exploited,” the blog says. “If there are no clear instructions about contacting maintainers of the repository that contains the vulnerability. It can lead to public disclosure of details of the vulnerability.”
Report private vulnerabilities
To address this issue, GitHub has now introduced Private Vulnerability Reporting – essentially a simple reporting form.
When a developer attempts to reach the maintainer of an affected vulnerability by reporting private vulnerabilities, the latter can choose whether to accept it, ask more questions, or decline it.
“If you accept the report, you are willing to collaborate on fixing the vulnerability in private with the security researcher,” the post states.
The Microsoft-owned platform also hopes that this detection method will simplify troubleshooting efforts, as reports are handled in one place. Moreover, it gives the administrators the opportunity to discuss the details of the vulnerabilities in private with the security researchers and eventually use them Patch management software to cooperate on reform.
The warehouse community welcomed the news, log (Opens in a new tab) mentioned. I spoke to several CEOs, technical engineers, and threat hunters, and they all agreed that this feature was in high demand on GitHub.