Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

OSS Index Vulnerability Reporting

This repository is intended for reports of:

  • Advisories missing from OSS Index
  • Issues with vulnerabilities reported by OSS Index
  • Zero days: Not directly supported here, but please submit them to the Central Security Project whereupon they will find their way into OSS Index.

Thank you for the help!

What is an advisory, and how do I submit one?

An advisory is a vulnerability which is reported somewhere on the internet. It might be reported as:

  • A vulnerability on a vulnerability list somewhere
  • A security advisory published by a product owner
  • A note in a readme
  • A GitHub, Bugzilla, JIRA, or other issue against a project

To submit an advisory, create an issue which contains the following information. Note that the more fields you provide, the faster we will be able to add the advisory to our catelog. At a minimum the URL field is required:

Issue Title:

Advisory: <A brief description of the advisory>

Issue body:

  URL: <Advisory URL>
  format: <Ecosystem name, eg. maven, npm, nuget, pypi, rubygem, etc.>
  namespace: <maven groupid, npm scope, etc.>
  name: <package name>
  versions: <Version range affected by the vulnerability>

How do I report other problems in OSS Index data?

Sometimes OSS Index has false positives, or reported vulnerabilities are incomplete.

Issue Title:

Bug: <OSS Index vulnerability URL>

Issue body. Provide a description of the problem:

  <description of problem>


Report missing advisories and corrections on OSS Index






No releases published


No packages published